From dbef7b7ebd4450c2debd996ca484540cd1ebd307 Mon Sep 17 00:00:00 2001 From: Alexandre Yang Date: Wed, 18 Mar 2026 20:12:45 +0100 Subject: [PATCH] feat(allowedsymbols): add safety emoji legend to symbol comments and package README Co-Authored-By: Claude Opus 4.6 --- allowedsymbols/README.md | 63 ++ allowedsymbols/symbols_allowedpaths.go | 80 +-- allowedsymbols/symbols_builtins.go | 872 ++++++++++++------------- allowedsymbols/symbols_internal.go | 164 ++--- allowedsymbols/symbols_interp.go | 214 +++--- 5 files changed, 728 insertions(+), 665 deletions(-) create mode 100644 allowedsymbols/README.md diff --git a/allowedsymbols/README.md b/allowedsymbols/README.md new file mode 100644 index 00000000..ccca2139 --- /dev/null +++ b/allowedsymbols/README.md @@ -0,0 +1,63 @@ +# allowedsymbols + +Static enforcement of symbol-level import restrictions for the rshell interpreter. + +## Purpose + +rshell is a sandboxed shell. Any Go package it imports is a potential escape vector. This package maintains **explicit allowlists** of every `importpath.Symbol` that each subsystem is permitted to use, and enforces those lists via Go AST analysis run as tests. + +If a symbol is not on the list, the code cannot compile it through CI — adding new capabilities requires a deliberate, reviewed allowlist entry. + +## Permanently Banned Packages + +Some packages may never be imported regardless of the symbol, declared in `symbols_common.go`: + +## Allowlists + +Each subsystem has its own allowlist file: + +| File | Governs | +|------|---------| +| `symbols_builtins.go` | `builtins/` — builtin command implementations | +| `symbols_interp.go` | `interp/` — interpreter core | +| `symbols_allowedpaths.go` | `allowedpaths/` — filesystem sandbox | +| `symbols_internal.go` | `builtins/internal/` — shared internal helpers | + +### Two-layer system for builtins + +Builtins use two complementary lists: + +- **`builtinAllowedSymbols`** — global ceiling: every symbol any builtin may use. +- **`builtinPerCommandSymbols`** — per-command sublists: each builtin directory (`cat/`, `grep/`, …) declares only the symbols it actually needs. + +Every symbol in a per-command list must be present in the global ceiling. Every symbol in the global ceiling must appear in at least one per-command list. This keeps each builtin's surface area minimal and auditable in isolation. + +The same two-layer pattern applies to `builtins/internal/` via `internalAllowedSymbols` and `internalPerPackageSymbols`. + +## Safety Legend + +Each allowlist entry carries an inline comment prefixed with a safety emoji: + +| Emoji | Meaning | Examples | +|-------|---------|---------| +| 🟢 | **Pure** — no side effects (pure functions, constants, types, interfaces) | `strings.Split`, `fmt.Sprintf`, `io.Reader`, AST types | +| 🟠 | **Read-only I/O** — reads from filesystem, OS state, or kernel; or delegates writes to an `io.Writer` | `os.Open`, `os.ReadFile`, `time.Now`, `net.Interfaces`, `syscall.Getsid` | +| 🔴 | **Privileged** — network I/O, unsafe memory, or native code loading | `net.DefaultResolver`, `pro-bing.NewPinger`, `unsafe.Pointer`, `syscall.MustLoadDLL` | + +## Enforcement + +The tests in this package use Go's `go/parser` and `go/ast` to walk source files and verify: + +1. No permanently banned package is imported. +2. Every imported package is in the allowlist. +3. Every `pkg.Symbol` reference is explicitly listed. +4. Every symbol in an allowlist is actually used (no dead entries). +5. Every builtin subdirectory has a per-command entry. + +Verification tests additionally inject banned imports or unlisted symbols into a temporary copy of the repo and assert the checker catches them. + +## Adding a New Symbol + +1. Add a line to the appropriate allowlist (and the per-command sublist if it's a builtin). +2. Prefix the comment with the correct safety emoji. +3. Run `go test ./allowedsymbols/` to verify the entry is valid and used. diff --git a/allowedsymbols/symbols_allowedpaths.go b/allowedsymbols/symbols_allowedpaths.go index 01c286be..f9bc23cc 100644 --- a/allowedsymbols/symbols_allowedpaths.go +++ b/allowedsymbols/symbols_allowedpaths.go @@ -17,44 +17,44 @@ package allowedsymbols // // The permanently banned packages (reflect, unsafe) apply here too. var allowedpathsAllowedSymbols = []string{ - "errors.As", // error type assertion; pure function, no I/O. - "errors.Is", // error comparison; pure function, no I/O. - "errors.New", // creates a simple error value; pure function, no I/O. - "fmt.Errorf", // formatted error creation; pure function, no I/O. - "io.EOF", // sentinel error value; pure constant. - "io.ReadWriteCloser", // combined interface type; no side effects. - "io/fs.DirEntry", // interface type for directory entries; no side effects. - "io/fs.ErrExist", // sentinel error for "already exists"; pure constant. - "io/fs.ErrNotExist", // sentinel error for "does not exist"; pure constant. - "io/fs.ErrPermission", // sentinel error for permission denied; pure constant. - "io/fs.FileInfo", // interface type for file metadata; no side effects. - "io/fs.FileMode", // file permission bits type; pure type. - "io/fs.ReadDirFile", // read-only directory handle interface; no write capability. - "os.DevNull", // platform null device path constant; pure constant. - "os.ErrPermission", // sentinel error for permission denied; pure constant. - "os.FileMode", // file permission bits type; pure type. - "os.Getgid", // returns the numeric group id of the caller; read-only syscall. - "os.Getgroups", // returns supplementary group ids; read-only syscall. - "os.Getuid", // returns the numeric user id of the caller; read-only syscall. - "os.O_RDONLY", // read-only file flag constant; pure constant. - "os.OpenRoot", // opens a directory as a root for sandboxed file access; needed for sandbox. - "os.PathError", // error type wrapping path and operation; pure type. - "os.Root", // sandboxed directory root type; core of the filesystem sandbox. - "os.Stat", // returns file info for a path; needed for sandbox path validation. - "path/filepath.Abs", // returns absolute path; pure path computation. - "path/filepath.IsAbs", // checks if path is absolute; pure function, no I/O. - "path/filepath.Join", // joins path elements; pure function, no I/O. - "path/filepath.Rel", // returns relative path; pure path computation. - "path/filepath.Separator", // OS path separator constant; pure constant. - "slices.SortFunc", // sorts a slice with a comparison function; pure function, no I/O. - "strings.Compare", // compares two strings lexicographically; pure function, no I/O. - "strings.EqualFold", // case-insensitive string comparison; pure function, no I/O. - "strings.HasPrefix", // pure function for prefix matching; no I/O. - "syscall.ByHandleFileInformation", // Windows file identity structure; pure type for file metadata. - "syscall.EISDIR", // "is a directory" errno constant; pure constant. - "syscall.Errno", // system call error number type; pure type. - "syscall.GetFileInformationByHandle", // Windows API for file identity (vol serial + file index); read-only syscall. - "syscall.Handle", // Windows file handle type; pure type alias. - "syscall.O_NONBLOCK", // non-blocking open flag; prevents blocking on FIFOs during access checks. Pure constant. - "syscall.Stat_t", // file stat structure type; pure type for Unix file metadata. + "errors.As", // 🟢 error type assertion; pure function, no I/O. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "fmt.Errorf", // 🟢 formatted error creation; pure function, no I/O. + "io.EOF", // 🟢 sentinel error value; pure constant. + "io.ReadWriteCloser", // 🟢 combined interface type; no side effects. + "io/fs.DirEntry", // 🟢 interface type for directory entries; no side effects. + "io/fs.ErrExist", // 🟢 sentinel error for "already exists"; pure constant. + "io/fs.ErrNotExist", // 🟢 sentinel error for "does not exist"; pure constant. + "io/fs.ErrPermission", // 🟢 sentinel error for permission denied; pure constant. + "io/fs.FileInfo", // 🟢 interface type for file metadata; no side effects. + "io/fs.FileMode", // 🟢 file permission bits type; pure type. + "io/fs.ReadDirFile", // 🟢 read-only directory handle interface; no write capability. + "os.DevNull", // 🟢 platform null device path constant; pure constant. + "os.ErrPermission", // 🟢 sentinel error for permission denied; pure constant. + "os.FileMode", // 🟢 file permission bits type; pure type. + "os.Getgid", // 🟠 returns the numeric group id of the caller; read-only syscall. + "os.Getgroups", // 🟠 returns supplementary group ids; read-only syscall. + "os.Getuid", // 🟠 returns the numeric user id of the caller; read-only syscall. + "os.O_RDONLY", // 🟢 read-only file flag constant; pure constant. + "os.OpenRoot", // 🟠 opens a directory as a root for sandboxed file access; needed for sandbox. + "os.PathError", // 🟢 error type wrapping path and operation; pure type. + "os.Root", // 🟠 sandboxed directory root type; core of the filesystem sandbox. + "os.Stat", // 🟠 returns file info for a path; needed for sandbox path validation. + "path/filepath.Abs", // 🟢 returns absolute path; pure path computation. + "path/filepath.IsAbs", // 🟢 checks if path is absolute; pure function, no I/O. + "path/filepath.Join", // 🟢 joins path elements; pure function, no I/O. + "path/filepath.Rel", // 🟢 returns relative path; pure path computation. + "path/filepath.Separator", // 🟢 OS path separator constant; pure constant. + "slices.SortFunc", // 🟢 sorts a slice with a comparison function; pure function, no I/O. + "strings.Compare", // 🟢 compares two strings lexicographically; pure function, no I/O. + "strings.EqualFold", // 🟢 case-insensitive string comparison; pure function, no I/O. + "strings.HasPrefix", // 🟢 pure function for prefix matching; no I/O. + "syscall.ByHandleFileInformation", // 🟢 Windows file identity structure; pure type for file metadata. + "syscall.EISDIR", // 🟢 "is a directory" errno constant; pure constant. + "syscall.Errno", // 🟢 system call error number type; pure type. + "syscall.GetFileInformationByHandle", // 🟠 Windows API for file identity (vol serial + file index); read-only syscall. + "syscall.Handle", // 🟢 Windows file handle type; pure type alias. + "syscall.O_NONBLOCK", // 🟢 non-blocking open flag; prevents blocking on FIFOs during access checks. Pure constant. + "syscall.Stat_t", // 🟢 file stat structure type; pure type for Unix file metadata. } diff --git a/allowedsymbols/symbols_builtins.go b/allowedsymbols/symbols_builtins.go index 4c5fe1e7..ab21830f 100644 --- a/allowedsymbols/symbols_builtins.go +++ b/allowedsymbols/symbols_builtins.go @@ -28,494 +28,494 @@ package allowedsymbols // (which acts as the global ceiling). var builtinPerCommandSymbols = map[string][]string{ "break": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. }, "cat": { - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.Is", // error comparison; pure function, no I/O. - "io.EOF", // sentinel error value; pure constant. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "io.EOF", // 🟢 sentinel error value; pure constant. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. }, "continue": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. }, "cut": { - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "math.MaxInt32", // integer constant; no side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "slices.SortFunc", // sorts a slice with a comparison function; pure function, no I/O. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strings.IndexByte", // finds byte in string; pure function, no I/O. - "strings.Split", // splits a string by separator into a slice; pure function, no I/O. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "math.MaxInt32", // 🟢 integer constant; no side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "slices.SortFunc", // 🟢 sorts a slice with a comparison function; pure function, no I/O. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strings.IndexByte", // 🟢 finds byte in string; pure function, no I/O. + "strings.Split", // 🟢 splits a string by separator into a slice; pure function, no I/O. }, "echo": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "strings.Builder", // efficient string concatenation; pure in-memory buffer, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "strings.Builder", // 🟢 efficient string concatenation; pure in-memory buffer, no I/O. }, "exit": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. }, "false": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. }, "find": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.As", // error type assertion; pure function, no I/O. - "errors.Is", // error comparison; pure function, no I/O. - "errors.New", // creates a simple error value; pure function, no I/O. - "fmt.Errorf", // error formatting; pure function, no I/O. - "io.EOF", // sentinel error value; pure constant. - "io/fs.FileInfo", // interface type for file information; no side effects. - "io/fs.FileMode", // file permission bits type; pure type. - "io/fs.ModeCharDevice", // file mode bit constant for character devices; pure constant. - "io/fs.ModeDevice", // file mode bit constant for block devices; pure constant. - "io/fs.ModeDir", // file mode bit constant for directories; pure constant. - "io/fs.ModeNamedPipe", // file mode bit constant for named pipes; pure constant. - "io/fs.ModeSetgid", // file mode bit constant for setgid; pure constant. - "io/fs.ModeSetuid", // file mode bit constant for setuid; pure constant. - "io/fs.ModeSocket", // file mode bit constant for sockets; pure constant. - "io/fs.ModeSticky", // file mode bit constant for sticky bit; pure constant. - "io/fs.ModeSymlink", // file mode bit constant for symlinks; pure constant. - "io/fs.ReadDirFile", // read-only directory handle interface; no write capability. - "math.Ceil", // pure arithmetic; no side effects. - "math.Floor", // pure arithmetic; no side effects. - "math.MaxInt64", // integer constant; no side effects. - "os.IsNotExist", // checks if error is "not exist"; pure function, no I/O. - "os.PathError", // error type for path operations; pure type. - "path/filepath.ToSlash", // converts OS path separators to forward slashes; pure function, no I/O. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strconv.ErrRange", // sentinel error value for overflow; pure constant. - "strconv.ParseInt", // string-to-int conversion; pure function, no I/O. - "strconv.ParseUint", // string-to-unsigned-int conversion; pure function, no I/O. - "strings.HasPrefix", // pure function for prefix matching; no I/O. - "strings.Split", // splits a string by separator into a slice; pure function, no I/O. - "strings.ToLower", // converts string to lowercase; pure function, no I/O. - "time.Duration", // duration type; pure integer alias, no I/O. - "time.Hour", // constant representing one hour; no side effects. - "time.Minute", // constant representing one minute; no side effects. - "time.Second", // constant representing one second; no side effects. - "time.Time", // time value type; pure data, no side effects. - "unicode/utf8.DecodeRuneInString", // decodes first UTF-8 rune from a string; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.As", // 🟢 error type assertion; pure function, no I/O. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "io.EOF", // 🟢 sentinel error value; pure constant. + "io/fs.FileInfo", // 🟢 interface type for file information; no side effects. + "io/fs.FileMode", // 🟢 file permission bits type; pure type. + "io/fs.ModeCharDevice", // 🟢 file mode bit constant for character devices; pure constant. + "io/fs.ModeDevice", // 🟢 file mode bit constant for block devices; pure constant. + "io/fs.ModeDir", // 🟢 file mode bit constant for directories; pure constant. + "io/fs.ModeNamedPipe", // 🟢 file mode bit constant for named pipes; pure constant. + "io/fs.ModeSetgid", // 🟢 file mode bit constant for setgid; pure constant. + "io/fs.ModeSetuid", // 🟢 file mode bit constant for setuid; pure constant. + "io/fs.ModeSocket", // 🟢 file mode bit constant for sockets; pure constant. + "io/fs.ModeSticky", // 🟢 file mode bit constant for sticky bit; pure constant. + "io/fs.ModeSymlink", // 🟢 file mode bit constant for symlinks; pure constant. + "io/fs.ReadDirFile", // 🟢 read-only directory handle interface; no write capability. + "math.Ceil", // 🟢 pure arithmetic; no side effects. + "math.Floor", // 🟢 pure arithmetic; no side effects. + "math.MaxInt64", // 🟢 integer constant; no side effects. + "os.IsNotExist", // 🟢 checks if error is "not exist"; pure function, no I/O. + "os.PathError", // 🟢 error type for path operations; pure type. + "path/filepath.ToSlash", // 🟢 converts OS path separators to forward slashes; pure function, no I/O. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strconv.ErrRange", // 🟢 sentinel error value for overflow; pure constant. + "strconv.ParseInt", // 🟢 string-to-int conversion; pure function, no I/O. + "strconv.ParseUint", // 🟢 string-to-unsigned-int conversion; pure function, no I/O. + "strings.HasPrefix", // 🟢 pure function for prefix matching; no I/O. + "strings.Split", // 🟢 splits a string by separator into a slice; pure function, no I/O. + "strings.ToLower", // 🟢 converts string to lowercase; pure function, no I/O. + "time.Duration", // 🟢 duration type; pure integer alias, no I/O. + "time.Hour", // 🟢 constant representing one hour; no side effects. + "time.Minute", // 🟢 constant representing one minute; no side effects. + "time.Second", // 🟢 constant representing one second; no side effects. + "time.Time", // 🟢 time value type; pure data, no side effects. + "unicode/utf8.DecodeRuneInString", // 🟢 decodes first UTF-8 rune from a string; pure function, no I/O. }, "grep": { - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "bytes.IndexByte", // finds a byte in a byte slice; pure function, no I/O. - "bytes.NewReader", // wraps a byte slice as an io.Reader; pure in-memory, no I/O. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.New", // creates a simple error value; pure function, no I/O. - "io.MultiReader", // combines multiple Readers into one sequential Reader; no I/O side effects. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "io.Reader", // interface type; no side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "regexp.Compile", // compiles a regular expression; pure function, no I/O. Uses RE2 engine (linear-time, no backtracking). - "regexp.QuoteMeta", // escapes all special regex characters in a string; pure function, no I/O. - "regexp.Regexp", // compiled regular expression type; no I/O side effects. All matching methods are linear-time (RE2). - "strconv.Itoa", // int-to-string conversion; pure function, no I/O. - "strconv.ParseBool", // string-to-bool conversion; pure function, no I/O. - "strings.Builder", // efficient string concatenation; pure in-memory buffer, no I/O. - "strings.Join", // concatenates a slice of strings with a separator; pure function, no I/O. - "strings.Split", // splits a string by separator into a slice; pure function, no I/O. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "bytes.IndexByte", // 🟢 finds a byte in a byte slice; pure function, no I/O. + "bytes.NewReader", // 🟢 wraps a byte slice as an io.Reader; pure in-memory, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "io.MultiReader", // 🟢 combines multiple Readers into one sequential Reader; no I/O side effects. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "io.Reader", // 🟢 interface type; no side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "regexp.Compile", // 🟢 compiles a regular expression; pure function, no I/O. Uses RE2 engine (linear-time, no backtracking). + "regexp.QuoteMeta", // 🟢 escapes all special regex characters in a string; pure function, no I/O. + "regexp.Regexp", // 🟢 compiled regular expression type; no I/O side effects. All matching methods are linear-time (RE2). + "strconv.Itoa", // 🟢 int-to-string conversion; pure function, no I/O. + "strconv.ParseBool", // 🟢 string-to-bool conversion; pure function, no I/O. + "strings.Builder", // 🟢 efficient string concatenation; pure in-memory buffer, no I/O. + "strings.Join", // 🟢 concatenates a slice of strings with a separator; pure function, no I/O. + "strings.Split", // 🟢 splits a string by separator into a slice; pure function, no I/O. }, "help": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. }, "head": { - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.Is", // error comparison; pure function, no I/O. - "errors.New", // creates a simple error value; pure function, no I/O. - "io.EOF", // sentinel error value; pure constant. - "io.ReadSeeker", // interface type combining Reader and Seeker; no side effects. - "io.Reader", // interface type; no side effects. - "io.SeekCurrent", // whence constant for Seek(offset, SeekCurrent); pure constant. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "strconv.ParseInt", // string-to-int conversion with base/bit-size; pure function, no I/O. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "io.EOF", // 🟢 sentinel error value; pure constant. + "io.ReadSeeker", // 🟢 interface type combining Reader and Seeker; no side effects. + "io.Reader", // 🟢 interface type; no side effects. + "io.SeekCurrent", // 🟢 whence constant for Seek(offset, SeekCurrent); pure constant. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "strconv.ParseInt", // 🟢 string-to-int conversion with base/bit-size; pure function, no I/O. }, "ls": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.New", // creates a simple error value; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "io/fs.DirEntry", // interface type for directory entries; no side effects. - "io/fs.FileInfo", // interface type for file information; no side effects. - "io/fs.ModeDir", // file mode bit constant for directories; pure constant. - "io/fs.ModeNamedPipe", // file mode bit constant for named pipes; pure constant. - "io/fs.ModeSetgid", // file mode bit constant for setgid; pure constant. - "io/fs.ModeSetuid", // file mode bit constant for setuid; pure constant. - "io/fs.ModeSocket", // file mode bit constant for sockets; pure constant. - "io/fs.ModeSticky", // file mode bit constant for sticky bit; pure constant. - "io/fs.ModeSymlink", // file mode bit constant for symlinks; pure constant. - "os.O_RDONLY", // read-only file flag constant; used on Windows for sandbox-aware file open. - "runtime.GOOS", // current OS name constant; pure constant, no I/O. - "slices.Reverse", // reverses a slice in-place; pure function, no I/O. - "slices.SortFunc", // sorts a slice with a comparison function; pure function, no I/O. - "syscall.ByHandleFileInformation", // Windows file info struct for extracting nlink; read-only type, no I/O. - "syscall.GetFileInformationByHandle", // Windows API to query file metadata by handle; read-only, no I/O side effects. - "syscall.Handle", // Windows file handle type; pure type alias, no I/O. - "syscall.Stat_t", // Unix file stat struct for extracting UID/GID/nlink; read-only type, no I/O. - "time.Time", // time value type; pure data, no side effects. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "io/fs.DirEntry", // 🟢 interface type for directory entries; no side effects. + "io/fs.FileInfo", // 🟢 interface type for file information; no side effects. + "io/fs.ModeDir", // 🟢 file mode bit constant for directories; pure constant. + "io/fs.ModeNamedPipe", // 🟢 file mode bit constant for named pipes; pure constant. + "io/fs.ModeSetgid", // 🟢 file mode bit constant for setgid; pure constant. + "io/fs.ModeSetuid", // 🟢 file mode bit constant for setuid; pure constant. + "io/fs.ModeSocket", // 🟢 file mode bit constant for sockets; pure constant. + "io/fs.ModeSticky", // 🟢 file mode bit constant for sticky bit; pure constant. + "io/fs.ModeSymlink", // 🟢 file mode bit constant for symlinks; pure constant. + "os.O_RDONLY", // 🟢 read-only file flag constant; used on Windows for sandbox-aware file open. + "runtime.GOOS", // 🟢 current OS name constant; pure constant, no I/O. + "slices.Reverse", // 🟢 reverses a slice in-place; pure function, no I/O. + "slices.SortFunc", // 🟢 sorts a slice with a comparison function; pure function, no I/O. + "syscall.ByHandleFileInformation", // 🟢 Windows file info struct for extracting nlink; read-only type, no I/O. + "syscall.GetFileInformationByHandle", // 🟠 Windows API to query file metadata by handle; read-only, no I/O side effects. + "syscall.Handle", // 🟢 Windows file handle type; pure type alias, no I/O. + "syscall.Stat_t", // 🟢 Unix file stat struct for extracting UID/GID/nlink; read-only type, no I/O. + "time.Time", // 🟢 time value type; pure data, no side effects. }, "ps": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "fmt.Errorf", // error formatting; pure function, no I/O. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strings.Fields", // splits a string on all whitespace; pure function, no I/O. - "strings.ReplaceAll", // replaces all occurrences of a substring; pure function, no I/O. - "strings.Split", // splits a string by separator into a slice; pure function, no I/O. - "strings.TrimSpace", // removes leading/trailing whitespace; pure function. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strings.Fields", // 🟢 splits a string on all whitespace; pure function, no I/O. + "strings.ReplaceAll", // 🟢 replaces all occurrences of a substring; pure function, no I/O. + "strings.Split", // 🟢 splits a string by separator into a slice; pure function, no I/O. + "strings.TrimSpace", // 🟢 removes leading/trailing whitespace; pure function. }, "printf": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.As", // error type assertion; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "math.Inf", // returns positive or negative infinity; pure function, no I/O. - "math.MaxUint64", // integer constant; no side effects. - "math.NaN", // returns IEEE 754 NaN value; pure function, no I/O. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strconv.ErrRange", // sentinel error value for overflow; pure constant. - "strconv.IntSize", // platform int size constant (32 or 64); pure constant, no I/O. - "strconv.Itoa", // int-to-string conversion; pure function, no I/O. - "strconv.NumError", // error type for numeric conversion failures; pure type. - "strconv.ParseFloat", // string-to-float conversion; pure function, no I/O. - "strconv.ParseInt", // string-to-int conversion with base/bit-size; pure function, no I/O. - "strconv.ParseUint", // string-to-unsigned-int conversion; pure function, no I/O. - "strings.Builder", // efficient string concatenation; pure in-memory buffer, no I/O. - "strings.ContainsRune", // checks if a rune is in a string; pure function, no I/O. - "strings.ReplaceAll", // replaces all occurrences of a substring; pure function, no I/O. - "strings.ToLower", // converts string to lowercase; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.As", // 🟢 error type assertion; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "math.Inf", // 🟢 returns positive or negative infinity; pure function, no I/O. + "math.MaxUint64", // 🟢 integer constant; no side effects. + "math.NaN", // 🟢 returns IEEE 754 NaN value; pure function, no I/O. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strconv.ErrRange", // 🟢 sentinel error value for overflow; pure constant. + "strconv.IntSize", // 🟢 platform int size constant (32 or 64); pure constant, no I/O. + "strconv.Itoa", // 🟢 int-to-string conversion; pure function, no I/O. + "strconv.NumError", // 🟢 error type for numeric conversion failures; pure type. + "strconv.ParseFloat", // 🟢 string-to-float conversion; pure function, no I/O. + "strconv.ParseInt", // 🟢 string-to-int conversion with base/bit-size; pure function, no I/O. + "strconv.ParseUint", // 🟢 string-to-unsigned-int conversion; pure function, no I/O. + "strings.Builder", // 🟢 efficient string concatenation; pure in-memory buffer, no I/O. + "strings.ContainsRune", // 🟢 checks if a rune is in a string; pure function, no I/O. + "strings.ReplaceAll", // 🟢 replaces all occurrences of a substring; pure function, no I/O. + "strings.ToLower", // 🟢 converts string to lowercase; pure function, no I/O. }, "sort": { - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.New", // creates a simple error value; pure function, no I/O. - "fmt.Errorf", // error formatting; pure function, no I/O. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "slices.SortFunc", // sorts a slice with a comparison function; pure function, no I/O. - "slices.SortStableFunc", // stable sort with a comparison function; pure function, no I/O. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strings.Builder", // efficient string concatenation; pure in-memory buffer, no I/O. - "strings.IndexByte", // finds byte in string; pure function, no I/O. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "slices.SortFunc", // 🟢 sorts a slice with a comparison function; pure function, no I/O. + "slices.SortStableFunc", // 🟢 stable sort with a comparison function; pure function, no I/O. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strings.Builder", // 🟢 efficient string concatenation; pure in-memory buffer, no I/O. + "strings.IndexByte", // 🟢 finds byte in string; pure function, no I/O. }, "sed": { - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "bufio.Scanner", // scanner type for buffered input reading; no write or exec capability. - "bytes.IndexByte", // finds a byte in a byte slice; pure function, no I/O. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.As", // error type assertion; pure function, no I/O. - "errors.New", // creates a simple error value; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "os.FileInfo", // file metadata interface returned by Stat; no I/O side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "regexp.Compile", // compiles a regular expression; pure function, no I/O. Uses RE2 engine (linear-time, no backtracking). - "regexp.Regexp", // compiled regular expression type; no I/O side effects. All matching methods are linear-time (RE2). - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strconv.ParseInt", // string-to-int conversion with base/bit-size; pure function, no I/O. - "strings.Builder", // efficient string concatenation; pure in-memory buffer, no I/O. - "strings.IndexByte", // finds byte in string; pure function, no I/O. - "strings.Join", // concatenates a slice of strings with a separator; pure function, no I/O. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "bufio.Scanner", // 🟢 scanner type for buffered input reading; no write or exec capability. + "bytes.IndexByte", // 🟢 finds a byte in a byte slice; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.As", // 🟢 error type assertion; pure function, no I/O. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "os.FileInfo", // 🟢 file metadata interface returned by Stat; no I/O side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "regexp.Compile", // 🟢 compiles a regular expression; pure function, no I/O. Uses RE2 engine (linear-time, no backtracking). + "regexp.Regexp", // 🟢 compiled regular expression type; no I/O side effects. All matching methods are linear-time (RE2). + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strconv.ParseInt", // 🟢 string-to-int conversion with base/bit-size; pure function, no I/O. + "strings.Builder", // 🟢 efficient string concatenation; pure in-memory buffer, no I/O. + "strings.IndexByte", // 🟢 finds byte in string; pure function, no I/O. + "strings.Join", // 🟢 concatenates a slice of strings with a separator; pure function, no I/O. }, "strings_cmd": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.As", // error type assertion; pure function, no I/O. - "errors.Is", // error comparison; pure function, no I/O. - "errors.New", // creates a simple error value; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "io.EOF", // sentinel error value; pure constant. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "os.PathError", // error type for filesystem path errors; pure type, no I/O. - "strconv.FormatInt", // int-to-string conversion; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.As", // 🟢 error type assertion; pure function, no I/O. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "io.EOF", // 🟢 sentinel error value; pure constant. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "os.PathError", // 🟢 error type for filesystem path errors; pure type, no I/O. + "strconv.FormatInt", // 🟢 int-to-string conversion; pure function, no I/O. }, "tail": { - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.Is", // error comparison; pure function, no I/O. - "errors.New", // creates a simple error value; pure function, no I/O. - "io.EOF", // sentinel error value; pure constant. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "io.Reader", // interface type; no side effects. - "math.MinInt64", // integer constant; no side effects. - "os.FileInfo", // file metadata interface returned by Stat; no I/O side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "strconv.ErrRange", // sentinel error value for overflow; pure constant. - "strconv.ParseInt", // string-to-int conversion with base/bit-size; pure function, no I/O. - "strconv.ParseUint", // string-to-unsigned-int conversion; pure function, no I/O. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "io.EOF", // 🟢 sentinel error value; pure constant. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "io.Reader", // 🟢 interface type; no side effects. + "math.MinInt64", // 🟢 integer constant; no side effects. + "os.FileInfo", // 🟢 file metadata interface returned by Stat; no I/O side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "strconv.ErrRange", // 🟢 sentinel error value for overflow; pure constant. + "strconv.ParseInt", // 🟢 string-to-int conversion with base/bit-size; pure function, no I/O. + "strconv.ParseUint", // 🟢 string-to-unsigned-int conversion; pure function, no I/O. }, "testcmd": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "io/fs.FileInfo", // interface type for file information; no side effects. - "io/fs.ModeNamedPipe", // file mode bit constant for named pipes; pure constant. - "io/fs.ModeSymlink", // file mode bit constant for symlinks; pure constant. - "strconv.ParseInt", // string-to-int conversion with base/bit-size; pure function, no I/O. - "strings.TrimSpace", // removes leading/trailing whitespace; pure function. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "io/fs.FileInfo", // 🟢 interface type for file information; no side effects. + "io/fs.ModeNamedPipe", // 🟢 file mode bit constant for named pipes; pure constant. + "io/fs.ModeSymlink", // 🟢 file mode bit constant for symlinks; pure constant. + "strconv.ParseInt", // 🟢 string-to-int conversion with base/bit-size; pure function, no I/O. + "strings.TrimSpace", // 🟢 removes leading/trailing whitespace; pure function. }, "tr": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.Is", // error comparison; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "io.EOF", // sentinel error value; pure constant. - "strconv.ParseInt", // string-to-int conversion with base/bit-size; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "io.EOF", // 🟢 sentinel error value; pure constant. + "strconv.ParseInt", // 🟢 string-to-int conversion with base/bit-size; pure function, no I/O. }, "true": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. }, "uniq": { - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "bufio.SplitFunc", // type for custom scanner split functions; pure type, no I/O. - "bytes.Equal", // compares two byte slices for equality; pure function, no I/O. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "io.Reader", // interface type; no side effects. - "io.WriteString", // writes a string to a writer; no filesystem access, delegates to Write. - "io.Writer", // interface type for writing; no side effects. - "math.MaxInt64", // integer constant; no side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "strconv.ErrRange", // sentinel error value for overflow; pure constant. - "strconv.FormatInt", // int-to-string conversion; pure function, no I/O. - "strconv.NumError", // error type for numeric conversion failures; pure type. - "strconv.ParseInt", // string-to-int conversion with base/bit-size; pure function, no I/O. - "strings.HasPrefix", // pure function for prefix matching; no I/O. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "bufio.SplitFunc", // 🟢 type for custom scanner split functions; pure type, no I/O. + "bytes.Equal", // 🟢 compares two byte slices for equality; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "io.Reader", // 🟢 interface type; no side effects. + "io.WriteString", // 🟠 writes a string to a writer; no filesystem access, delegates to Write. + "io.Writer", // 🟢 interface type for writing; no side effects. + "math.MaxInt64", // 🟢 integer constant; no side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "strconv.ErrRange", // 🟢 sentinel error value for overflow; pure constant. + "strconv.FormatInt", // 🟢 int-to-string conversion; pure function, no I/O. + "strconv.NumError", // 🟢 error type for numeric conversion failures; pure type. + "strconv.ParseInt", // 🟢 string-to-int conversion with base/bit-size; pure function, no I/O. + "strings.HasPrefix", // 🟢 pure function for prefix matching; no I/O. }, "ss": { - "bufio.NewScanner", // line-by-line /proc/net/ file reading; no write or exec capability. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.Is", // error comparison; used to distinguish syscall.ENOENT from unexpected errors. - "fmt.Errorf", // error formatting; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "strconv.FormatUint", // uint-to-string conversion; pure function, no I/O. - "strconv.Itoa", // int-to-string conversion; pure function, no I/O. - "strconv.ParseUint", // string-to-unsigned-int conversion; pure function, no I/O. - "strings.Builder", // efficient string concatenation; pure in-memory buffer, no I/O. - "strings.Fields", // splits a string on whitespace; pure function, no I/O. - "strings.Split", // splits a string by separator; pure function, no I/O. - "strings.ToUpper", // converts string to uppercase; pure function, no I/O. - "syscall.ENOENT", // error constant for "no such file or directory"; used to distinguish IPv6-unavailable from genuine sysctl errors. - "golang.org/x/sys/unix.SysctlRaw", // macOS: reads kernel socket tables (read-only, no exec, no filesystem). + "bufio.NewScanner", // 🟢 line-by-line /proc/net/ file reading; no write or exec capability. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.Is", // 🟢 error comparison; used to distinguish syscall.ENOENT from unexpected errors. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "strconv.FormatUint", // 🟢 uint-to-string conversion; pure function, no I/O. + "strconv.Itoa", // 🟢 int-to-string conversion; pure function, no I/O. + "strconv.ParseUint", // 🟢 string-to-unsigned-int conversion; pure function, no I/O. + "strings.Builder", // 🟢 efficient string concatenation; pure in-memory buffer, no I/O. + "strings.Fields", // 🟢 splits a string on whitespace; pure function, no I/O. + "strings.Split", // 🟢 splits a string by separator; pure function, no I/O. + "strings.ToUpper", // 🟢 converts string to uppercase; pure function, no I/O. + "syscall.ENOENT", // 🟢 error constant for "no such file or directory"; used to distinguish IPv6-unavailable from genuine sysctl errors. + "golang.org/x/sys/unix.SysctlRaw", // 🟠 macOS: reads kernel socket tables (read-only, no exec, no filesystem). }, "wc": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "errors.As", // error type assertion; pure function, no I/O. - "errors.Is", // error comparison; pure function, no I/O. - "errors.New", // creates a simple error value; pure function, no I/O. - "io.EOF", // sentinel error value; pure constant. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "io.Reader", // interface type; no side effects. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "strconv.FormatInt", // int-to-string conversion; pure function, no I/O. - "syscall.EISDIR", // error number constant for "is a directory"; pure constant, no I/O. - "syscall.Errno", // error type for system call error numbers; pure type, no I/O. - "unicode.Cc", // control character category range table; pure data, no I/O. - "unicode.Cf", // format character category range table; pure data, no I/O. - "unicode.Co", // private-use character category range table; pure data, no I/O. - "unicode.Is", // checks if rune belongs to a range table; pure function, no I/O. - "unicode.IsGraphic", // reports whether rune is defined as a graphic character; pure function, no I/O. - "unicode.Me", // enclosing mark category range table; pure data, no I/O. - "unicode.Mn", // nonspacing mark category range table; pure data, no I/O. - "unicode.Range16", // struct type for 16-bit Unicode ranges; pure data. - "unicode.Range32", // struct type for 32-bit Unicode ranges; pure data. - "unicode.RangeTable", // struct type for Unicode range tables; pure data. - "unicode.Zs", // Unicode space separator category range table; pure data, no I/O. - "unicode/utf8.DecodeRune", // decodes first UTF-8 rune from a byte slice; pure function, no I/O. - "unicode/utf8.RuneError", // replacement character returned for invalid UTF-8; constant, no I/O. - "unicode/utf8.UTFMax", // maximum number of bytes in a UTF-8 encoding; constant, no I/O. - "unicode/utf8.Valid", // checks if a byte slice is valid UTF-8; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "errors.As", // 🟢 error type assertion; pure function, no I/O. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "io.EOF", // 🟢 sentinel error value; pure constant. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "io.Reader", // 🟢 interface type; no side effects. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "strconv.FormatInt", // 🟢 int-to-string conversion; pure function, no I/O. + "syscall.EISDIR", // 🟢 error number constant for "is a directory"; pure constant, no I/O. + "syscall.Errno", // 🟢 error type for system call error numbers; pure type, no I/O. + "unicode.Cc", // 🟢 control character category range table; pure data, no I/O. + "unicode.Cf", // 🟢 format character category range table; pure data, no I/O. + "unicode.Co", // 🟢 private-use character category range table; pure data, no I/O. + "unicode.Is", // 🟢 checks if rune belongs to a range table; pure function, no I/O. + "unicode.IsGraphic", // 🟢 reports whether rune is defined as a graphic character; pure function, no I/O. + "unicode.Me", // 🟢 enclosing mark category range table; pure data, no I/O. + "unicode.Mn", // 🟢 nonspacing mark category range table; pure data, no I/O. + "unicode.Range16", // 🟢 struct type for 16-bit Unicode ranges; pure data. + "unicode.Range32", // 🟢 struct type for 32-bit Unicode ranges; pure data. + "unicode.RangeTable", // 🟢 struct type for Unicode range tables; pure data. + "unicode.Zs", // 🟢 Unicode space separator category range table; pure data, no I/O. + "unicode/utf8.DecodeRune", // 🟢 decodes first UTF-8 rune from a byte slice; pure function, no I/O. + "unicode/utf8.RuneError", // 🟢 replacement character returned for invalid UTF-8; constant, no I/O. + "unicode/utf8.UTFMax", // 🟢 maximum number of bytes in a UTF-8 encoding; constant, no I/O. + "unicode/utf8.Valid", // 🟢 checks if a byte slice is valid UTF-8; pure function, no I/O. }, "ping": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "context.WithTimeout", // creates a child context with a deadline; no filesystem or network I/O itself. - "errors.Is", // error comparison via chain; pure function, no I/O. - "fmt.Errorf", // error formatting; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "net.DefaultResolver", // default system DNS resolver; used for context-aware address lookup; network I/O is the explicit purpose of this builtin. - "net.IPAddr", // resolved IP address struct (IP + Zone); pure data type, no I/O. - "net.ParseIP", // parses an IP address string; pure function, no I/O. - "math.IsInf", // IEEE 754 infinity check; pure function, no I/O. - "math.IsNaN", // IEEE 754 NaN check; pure function, no I/O. - "math.MaxInt64", // maximum int64 constant; used to compute time.Duration overflow boundary. - "strconv.ParseFloat", // parses integer/float seconds for -W/-i flags; pure function, no I/O. - "strings.Contains", // substring search; pure function, no I/O. - "strings.IndexByte", // finds first occurrence of a byte in a string; pure function, no I/O. - "strings.ToLower", // converts string to lowercase; pure function, no I/O. - "syscall.EACCES", // POSIX errno constant for permission denied; pure constant, no I/O. - "syscall.EPERM", // POSIX errno constant for operation not permitted; pure constant, no I/O. - "syscall.EPROTONOSUPPORT", // POSIX errno constant for protocol not supported; pure constant, no I/O. - "time.Duration", // duration type alias (int64 nanoseconds); pure type, no I/O. - "time.Millisecond", // constant representing one millisecond; no side effects. - "time.ParseDuration", // parses Go duration strings (e.g. "1s"); pure function, no I/O. - "time.Second", // constant representing one second; no side effects. - "github.com/prometheus-community/pro-bing.NewPinger", // creates an ICMP pinger; network I/O is the explicit purpose of this builtin. - "github.com/prometheus-community/pro-bing.NoopLogger", // no-op logger that discards pro-bing internal messages; no side effects. - "github.com/prometheus-community/pro-bing.Packet", // ICMP packet descriptor struct (received packet data); pure data type, no I/O. - "github.com/prometheus-community/pro-bing.Pinger", // ICMP pinger struct; network I/O is the explicit purpose of this builtin. - "github.com/prometheus-community/pro-bing.Statistics", // ping round-trip statistics struct; pure data type, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "context.WithTimeout", // 🟢 creates a child context with a deadline; no filesystem or network I/O itself. + "errors.Is", // 🟢 error comparison via chain; pure function, no I/O. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "net.DefaultResolver", // 🔴 default system DNS resolver; used for context-aware address lookup; network I/O is the explicit purpose of this builtin. + "net.IPAddr", // 🟢 resolved IP address struct (IP + Zone); pure data type, no I/O. + "net.ParseIP", // 🟢 parses an IP address string; pure function, no I/O. + "math.IsInf", // 🟢 IEEE 754 infinity check; pure function, no I/O. + "math.IsNaN", // 🟢 IEEE 754 NaN check; pure function, no I/O. + "math.MaxInt64", // 🟢 maximum int64 constant; used to compute time.Duration overflow boundary. + "strconv.ParseFloat", // 🟢 parses integer/float seconds for -W/-i flags; pure function, no I/O. + "strings.Contains", // 🟢 substring search; pure function, no I/O. + "strings.IndexByte", // 🟢 finds first occurrence of a byte in a string; pure function, no I/O. + "strings.ToLower", // 🟢 converts string to lowercase; pure function, no I/O. + "syscall.EACCES", // 🟢 POSIX errno constant for permission denied; pure constant, no I/O. + "syscall.EPERM", // 🟢 POSIX errno constant for operation not permitted; pure constant, no I/O. + "syscall.EPROTONOSUPPORT", // 🟢 POSIX errno constant for protocol not supported; pure constant, no I/O. + "time.Duration", // 🟢 duration type alias (int64 nanoseconds); pure type, no I/O. + "time.Millisecond", // 🟢 constant representing one millisecond; no side effects. + "time.ParseDuration", // 🟢 parses Go duration strings (e.g. "1s"); pure function, no I/O. + "time.Second", // 🟢 constant representing one second; no side effects. + "github.com/prometheus-community/pro-bing.NewPinger", // 🔴 creates an ICMP pinger; network I/O is the explicit purpose of this builtin. + "github.com/prometheus-community/pro-bing.NoopLogger", // 🟢 no-op logger that discards pro-bing internal messages; no side effects. + "github.com/prometheus-community/pro-bing.Packet", // 🟢 ICMP packet descriptor struct (received packet data); pure data type, no I/O. + "github.com/prometheus-community/pro-bing.Pinger", // 🔴 ICMP pinger struct; network I/O is the explicit purpose of this builtin. + "github.com/prometheus-community/pro-bing.Statistics", // 🟢 ping round-trip statistics struct; pure data type, no I/O. }, "ip": { - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "fmt.Errorf", // error formatting; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "net.FlagBroadcast", // interface flag: supports broadcast; pure constant, no network connections. - "net.FlagLoopback", // interface flag: is loopback; pure constant, no network connections. - "net.FlagMulticast", // interface flag: supports multicast; pure constant, no network connections. - "net.FlagPointToPoint", // interface flag: point-to-point link; pure constant, no network connections. - "net.FlagRunning", // interface flag: running state (Go 1.20+); pure constant, no network connections. - "net.FlagUp", // interface flag: administratively up; pure constant, no network connections. - "net.Flags", // interface flags type (uint); pure type, no network connections. - "net.IP", // IP address type ([]byte); pure type, no network connections. - "net.IPNet", // IP network struct (IP + Mask); pure type, no network connections. - "net.Interface", // network interface descriptor (read-only OS struct); no network connections. - "net.Interfaces", // read-only OS interface enumeration; no network connections or I/O. - "strings.Join", // concatenates a slice of strings with a separator; pure function, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "net.FlagBroadcast", // 🟢 interface flag: supports broadcast; pure constant, no network connections. + "net.FlagLoopback", // 🟢 interface flag: is loopback; pure constant, no network connections. + "net.FlagMulticast", // 🟢 interface flag: supports multicast; pure constant, no network connections. + "net.FlagPointToPoint", // 🟢 interface flag: point-to-point link; pure constant, no network connections. + "net.FlagRunning", // 🟢 interface flag: running state (Go 1.20+); pure constant, no network connections. + "net.FlagUp", // 🟢 interface flag: administratively up; pure constant, no network connections. + "net.Flags", // 🟢 interface flags type (uint); pure type, no network connections. + "net.IP", // 🟢 IP address type ([]byte); pure type, no network connections. + "net.IPNet", // 🟢 IP network struct (IP + Mask); pure type, no network connections. + "net.Interface", // 🟢 network interface descriptor (read-only OS struct); no network connections. + "net.Interfaces", // 🟠 read-only OS interface enumeration; no network connections or I/O. + "strings.Join", // 🟢 concatenates a slice of strings with a separator; pure function, no I/O. }, } var builtinAllowedSymbols = []string{ - "bufio.NewScanner", // line-by-line input reading (e.g. head, cat); no write or exec capability. - "bufio.Scanner", // scanner type for buffered input reading; no write or exec capability. - "bufio.SplitFunc", // type for custom scanner split functions; pure type, no I/O. - "bytes.Equal", // compares two byte slices for equality; pure function, no I/O. - "bytes.IndexByte", // finds a byte in a byte slice; pure function, no I/O. - "bytes.NewReader", // wraps a byte slice as an io.Reader; pure in-memory, no I/O. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "context.WithTimeout", // creates a child context with a deadline; no filesystem or network I/O itself. - "errors.As", // error type assertion; pure function, no I/O. - "errors.Is", // error comparison; pure function, no I/O. - "errors.New", // creates a simple error value; pure function, no I/O. - "fmt.Errorf", // error formatting; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "github.com/prometheus-community/pro-bing.NewPinger", // creates an ICMP pinger by resolving host; network I/O is the explicit purpose of the ping builtin. - "github.com/prometheus-community/pro-bing.NoopLogger", // no-op logger that discards pro-bing internal messages; no side effects. - "github.com/prometheus-community/pro-bing.Packet", // ICMP packet descriptor struct (received packet data); pure data type, no I/O. - "github.com/prometheus-community/pro-bing.Pinger", // ICMP pinger struct; network I/O is the explicit purpose of the ping builtin. - "github.com/prometheus-community/pro-bing.Statistics", // ping round-trip statistics struct; pure data type, no I/O. - "golang.org/x/sys/unix.SysctlRaw", // macOS: reads kernel socket tables (read-only, no exec, no filesystem). - "io.EOF", // sentinel error value; pure constant. - "io.MultiReader", // combines multiple Readers into one sequential Reader; no I/O side effects. - "io.NopCloser", // wraps a Reader with a no-op Close; no side effects. - "io.ReadCloser", // interface type; no side effects. - "io.ReadSeeker", // interface type combining Reader and Seeker; no side effects. - "io.Reader", // interface type; no side effects. - "io.SeekCurrent", // whence constant for Seek(offset, SeekCurrent); pure constant. - "io.WriteString", // writes a string to a writer; no filesystem access, delegates to Write. - "io.Writer", // interface type for writing; no side effects. - "io/fs.DirEntry", // interface type for directory entries; no side effects. - "io/fs.FileInfo", // interface type for file information; no side effects. - "io/fs.FileMode", // file permission bits type; pure type. - "io/fs.ModeCharDevice", // file mode bit constant for character devices; pure constant. - "io/fs.ModeDevice", // file mode bit constant for block devices; pure constant. - "io/fs.ModeDir", // file mode bit constant for directories; pure constant. - "io/fs.ModeNamedPipe", // file mode bit constant for named pipes; pure constant. - "io/fs.ModeSetgid", // file mode bit constant for setgid; pure constant. - "io/fs.ModeSetuid", // file mode bit constant for setuid; pure constant. - "io/fs.ModeSocket", // file mode bit constant for sockets; pure constant. - "io/fs.ModeSticky", // file mode bit constant for sticky bit; pure constant. - "io/fs.ModeSymlink", // file mode bit constant for symlinks; pure constant. - "io/fs.ReadDirFile", // read-only directory handle interface; no write capability. - "math.Ceil", // pure arithmetic; no side effects. - "math.Floor", // pure arithmetic; no side effects. - "math.Inf", // returns positive or negative infinity; pure function, no I/O. - "math.IsInf", // IEEE 754 infinity check; pure function, no I/O. - "math.IsNaN", // IEEE 754 NaN check; pure function, no I/O. - "math.MaxInt32", // integer constant; no side effects. - "math.MaxInt64", // integer constant; no side effects. - "math.MaxUint64", // integer constant; no side effects. - "math.MinInt64", // integer constant; no side effects. - "math.NaN", // returns IEEE 754 NaN value; pure function, no I/O. - "net.DefaultResolver", // default system DNS resolver; used for context-aware address lookup; network I/O is the explicit purpose of the ping builtin. - "net.FlagBroadcast", // interface flag constant: broadcast capability; pure constant, no network connections. - "net.IPAddr", // resolved IP address struct (IP + Zone); pure data type, no I/O. - "net.FlagLoopback", // interface flag constant: is loopback; pure constant, no network connections. - "net.FlagMulticast", // interface flag constant: multicast capability; pure constant, no network connections. - "net.FlagPointToPoint", // interface flag constant: point-to-point link; pure constant, no network connections. - "net.FlagRunning", // interface flag constant: running state (Go 1.20+); pure constant, no network connections. - "net.FlagUp", // interface flag constant: administratively up; pure constant, no network connections. - "net.Flags", // network interface flags type (uint); pure type, no network connections. - "net.IP", // IP address type ([]byte); pure type, no network connections. - "net.IPNet", // IP network struct (IP + Mask); pure type, no network connections. - "net.ParseIP", // parses an IP address string into a net.IP; pure function, no I/O. - "net.Interface", // OS network interface descriptor; read-only struct, no network connections. - "net.Interfaces", // read-only OS interface enumeration function; no network connections or writes. - "os.FileInfo", // file metadata interface returned by Stat; no I/O side effects. - "os.IsNotExist", // checks if error is "not exist"; pure function, no I/O. - "os.O_RDONLY", // read-only file flag constant; cannot open files by itself. - "os.PathError", // error type for filesystem path errors; pure type, no I/O. - "path/filepath.ToSlash", // converts OS path separators to forward slashes; pure function, no I/O. - "regexp.Compile", // compiles a regular expression; pure function, no I/O. Uses RE2 engine (linear-time, no backtracking). - "regexp.QuoteMeta", // escapes all special regex characters in a string; pure function, no I/O. - "regexp.Regexp", // compiled regular expression type; no I/O side effects. All matching methods are linear-time (RE2). - "runtime.GOOS", // current OS name constant; pure constant, no I/O. - "slices.Reverse", // reverses a slice in-place; pure function, no I/O. - "slices.SortFunc", // sorts a slice with a comparison function; pure function, no I/O. - "slices.SortStableFunc", // stable sort with a comparison function; pure function, no I/O. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strconv.ErrRange", // sentinel error value for overflow; pure constant. - "strconv.FormatInt", // int-to-string conversion; pure function, no I/O. - "strconv.FormatUint", // uint-to-string conversion; pure function, no I/O. - "strconv.IntSize", // platform int size constant (32 or 64); pure constant, no I/O. - "strconv.Itoa", // int-to-string conversion; pure function, no I/O. - "strconv.NumError", // error type for numeric conversion failures; pure type. - "strconv.ParseBool", // string-to-bool conversion; pure function, no I/O. - "strconv.ParseFloat", // string-to-float conversion; pure function, no I/O. - "strconv.ParseInt", // string-to-int conversion with base/bit-size; pure function, no I/O. - "strconv.ParseUint", // string-to-unsigned-int conversion; pure function, no I/O. - "strings.Builder", // efficient string concatenation; pure in-memory buffer, no I/O. - "strings.Contains", // substring search; pure function, no I/O. - "strings.ContainsRune", // checks if a rune is in a string; pure function, no I/O. - "strings.Fields", // splits a string on whitespace into a slice; pure function, no I/O. - "strings.HasPrefix", // pure function for prefix matching; no I/O. - "strings.IndexByte", // finds byte in string; pure function, no I/O. - "strings.Join", // concatenates a slice of strings with a separator; pure function, no I/O. - "strings.ReplaceAll", // replaces all occurrences of a substring; pure function, no I/O. - "strings.Split", // splits a string by separator into a slice; pure function, no I/O. - "strings.ToLower", // converts string to lowercase; pure function, no I/O. - "strings.ToUpper", // converts string to uppercase; pure function, no I/O. - "strings.TrimSpace", // removes leading/trailing whitespace; pure function. - "syscall.ByHandleFileInformation", // Windows file info struct for extracting nlink; read-only type, no I/O. - "syscall.EACCES", // POSIX errno constant for permission denied; pure constant, no I/O. - "syscall.EISDIR", // error number constant for "is a directory"; pure constant, no I/O. - "syscall.EPERM", // POSIX errno constant for operation not permitted; pure constant, no I/O. - "syscall.EPROTONOSUPPORT", // POSIX errno constant for protocol not supported; pure constant, no I/O. - "syscall.ENOENT", // error constant for "no such file or directory"; pure constant, no I/O. - "syscall.Errno", // error type for system call error numbers; pure type, no I/O. - "syscall.GetFileInformationByHandle", // Windows API to query file metadata by handle; read-only, no I/O side effects. - "syscall.Handle", // Windows file handle type; pure type alias, no I/O. - "syscall.Stat_t", // file stat struct for extracting UID/GID/nlink; read-only type, no I/O. - "time.Duration", // duration type; pure integer alias, no I/O. - "time.Hour", // constant representing one hour; no side effects. - "time.Millisecond", // constant representing one millisecond; no side effects. - "time.Minute", // constant representing one minute; no side effects. - "time.ParseDuration", // parses Go duration strings (e.g. "1s"); pure function, no I/O. - "time.Second", // constant representing one second; no side effects. - "time.Time", // time value type; pure data, no side effects. - "unicode.Cc", // control character category range table; pure data, no I/O. - "unicode.Cf", // format character category range table; pure data, no I/O. - "unicode.Co", // private-use character category range table; pure data, no I/O. - "unicode.Is", // checks if rune belongs to a range table; pure function, no I/O. - "unicode.IsGraphic", // reports whether rune is defined as a graphic character; pure function, no I/O. - "unicode.Me", // enclosing mark category range table; pure data, no I/O. - "unicode.Mn", // nonspacing mark category range table; pure data, no I/O. - "unicode.Range16", // struct type for 16-bit Unicode ranges; pure data. - "unicode.Range32", // struct type for 32-bit Unicode ranges; pure data. - "unicode.RangeTable", // struct type for Unicode range tables; pure data. - "unicode.Zs", // Unicode space separator category range table; pure data, no I/O. - "unicode/utf8.DecodeRune", // decodes first UTF-8 rune from a byte slice; pure function, no I/O. - "unicode/utf8.DecodeRuneInString", // decodes first UTF-8 rune from a string; pure function, no I/O. - "unicode/utf8.RuneError", // replacement character returned for invalid UTF-8; constant, no I/O. - "unicode/utf8.UTFMax", // maximum number of bytes in a UTF-8 encoding; constant, no I/O. - "unicode/utf8.Valid", // checks if a byte slice is valid UTF-8; pure function, no I/O. + "bufio.NewScanner", // 🟢 line-by-line input reading (e.g. head, cat); no write or exec capability. + "bufio.Scanner", // 🟢 scanner type for buffered input reading; no write or exec capability. + "bufio.SplitFunc", // 🟢 type for custom scanner split functions; pure type, no I/O. + "bytes.Equal", // 🟢 compares two byte slices for equality; pure function, no I/O. + "bytes.IndexByte", // 🟢 finds a byte in a byte slice; pure function, no I/O. + "bytes.NewReader", // 🟢 wraps a byte slice as an io.Reader; pure in-memory, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "context.WithTimeout", // 🟢 creates a child context with a deadline; no filesystem or network I/O itself. + "errors.As", // 🟢 error type assertion; pure function, no I/O. + "errors.Is", // 🟢 error comparison; pure function, no I/O. + "errors.New", // 🟢 creates a simple error value; pure function, no I/O. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "github.com/prometheus-community/pro-bing.NewPinger", // 🔴 creates an ICMP pinger by resolving host; network I/O is the explicit purpose of the ping builtin. + "github.com/prometheus-community/pro-bing.NoopLogger", // 🟢 no-op logger that discards pro-bing internal messages; no side effects. + "github.com/prometheus-community/pro-bing.Packet", // 🟢 ICMP packet descriptor struct (received packet data); pure data type, no I/O. + "github.com/prometheus-community/pro-bing.Pinger", // 🔴 ICMP pinger struct; network I/O is the explicit purpose of the ping builtin. + "github.com/prometheus-community/pro-bing.Statistics", // 🟢 ping round-trip statistics struct; pure data type, no I/O. + "golang.org/x/sys/unix.SysctlRaw", // 🟠 macOS: reads kernel socket tables (read-only, no exec, no filesystem). + "io.EOF", // 🟢 sentinel error value; pure constant. + "io.MultiReader", // 🟢 combines multiple Readers into one sequential Reader; no I/O side effects. + "io.NopCloser", // 🟢 wraps a Reader with a no-op Close; no side effects. + "io.ReadCloser", // 🟢 interface type; no side effects. + "io.ReadSeeker", // 🟢 interface type combining Reader and Seeker; no side effects. + "io.Reader", // 🟢 interface type; no side effects. + "io.SeekCurrent", // 🟢 whence constant for Seek(offset, SeekCurrent); pure constant. + "io.WriteString", // 🟠 writes a string to a writer; no filesystem access, delegates to Write. + "io.Writer", // 🟢 interface type for writing; no side effects. + "io/fs.DirEntry", // 🟢 interface type for directory entries; no side effects. + "io/fs.FileInfo", // 🟢 interface type for file information; no side effects. + "io/fs.FileMode", // 🟢 file permission bits type; pure type. + "io/fs.ModeCharDevice", // 🟢 file mode bit constant for character devices; pure constant. + "io/fs.ModeDevice", // 🟢 file mode bit constant for block devices; pure constant. + "io/fs.ModeDir", // 🟢 file mode bit constant for directories; pure constant. + "io/fs.ModeNamedPipe", // 🟢 file mode bit constant for named pipes; pure constant. + "io/fs.ModeSetgid", // 🟢 file mode bit constant for setgid; pure constant. + "io/fs.ModeSetuid", // 🟢 file mode bit constant for setuid; pure constant. + "io/fs.ModeSocket", // 🟢 file mode bit constant for sockets; pure constant. + "io/fs.ModeSticky", // 🟢 file mode bit constant for sticky bit; pure constant. + "io/fs.ModeSymlink", // 🟢 file mode bit constant for symlinks; pure constant. + "io/fs.ReadDirFile", // 🟢 read-only directory handle interface; no write capability. + "math.Ceil", // 🟢 pure arithmetic; no side effects. + "math.Floor", // 🟢 pure arithmetic; no side effects. + "math.Inf", // 🟢 returns positive or negative infinity; pure function, no I/O. + "math.IsInf", // 🟢 IEEE 754 infinity check; pure function, no I/O. + "math.IsNaN", // 🟢 IEEE 754 NaN check; pure function, no I/O. + "math.MaxInt32", // 🟢 integer constant; no side effects. + "math.MaxInt64", // 🟢 integer constant; no side effects. + "math.MaxUint64", // 🟢 integer constant; no side effects. + "math.MinInt64", // 🟢 integer constant; no side effects. + "math.NaN", // 🟢 returns IEEE 754 NaN value; pure function, no I/O. + "net.DefaultResolver", // 🔴 default system DNS resolver; used for context-aware address lookup; network I/O is the explicit purpose of the ping builtin. + "net.FlagBroadcast", // 🟢 interface flag constant: broadcast capability; pure constant, no network connections. + "net.IPAddr", // 🟢 resolved IP address struct (IP + Zone); pure data type, no I/O. + "net.FlagLoopback", // 🟢 interface flag constant: is loopback; pure constant, no network connections. + "net.FlagMulticast", // 🟢 interface flag constant: multicast capability; pure constant, no network connections. + "net.FlagPointToPoint", // 🟢 interface flag constant: point-to-point link; pure constant, no network connections. + "net.FlagRunning", // 🟢 interface flag constant: running state (Go 1.20+); pure constant, no network connections. + "net.FlagUp", // 🟢 interface flag constant: administratively up; pure constant, no network connections. + "net.Flags", // 🟢 network interface flags type (uint); pure type, no network connections. + "net.IP", // 🟢 IP address type ([]byte); pure type, no network connections. + "net.IPNet", // 🟢 IP network struct (IP + Mask); pure type, no network connections. + "net.ParseIP", // 🟢 parses an IP address string into a net.IP; pure function, no I/O. + "net.Interface", // 🟢 OS network interface descriptor; read-only struct, no network connections. + "net.Interfaces", // 🟠 read-only OS interface enumeration function; no network connections or writes. + "os.FileInfo", // 🟢 file metadata interface returned by Stat; no I/O side effects. + "os.IsNotExist", // 🟢 checks if error is "not exist"; pure function, no I/O. + "os.O_RDONLY", // 🟢 read-only file flag constant; cannot open files by itself. + "os.PathError", // 🟢 error type for filesystem path errors; pure type, no I/O. + "path/filepath.ToSlash", // 🟢 converts OS path separators to forward slashes; pure function, no I/O. + "regexp.Compile", // 🟢 compiles a regular expression; pure function, no I/O. Uses RE2 engine (linear-time, no backtracking). + "regexp.QuoteMeta", // 🟢 escapes all special regex characters in a string; pure function, no I/O. + "regexp.Regexp", // 🟢 compiled regular expression type; no I/O side effects. All matching methods are linear-time (RE2). + "runtime.GOOS", // 🟢 current OS name constant; pure constant, no I/O. + "slices.Reverse", // 🟢 reverses a slice in-place; pure function, no I/O. + "slices.SortFunc", // 🟢 sorts a slice with a comparison function; pure function, no I/O. + "slices.SortStableFunc", // 🟢 stable sort with a comparison function; pure function, no I/O. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strconv.ErrRange", // 🟢 sentinel error value for overflow; pure constant. + "strconv.FormatInt", // 🟢 int-to-string conversion; pure function, no I/O. + "strconv.FormatUint", // 🟢 uint-to-string conversion; pure function, no I/O. + "strconv.IntSize", // 🟢 platform int size constant (32 or 64); pure constant, no I/O. + "strconv.Itoa", // 🟢 int-to-string conversion; pure function, no I/O. + "strconv.NumError", // 🟢 error type for numeric conversion failures; pure type. + "strconv.ParseBool", // 🟢 string-to-bool conversion; pure function, no I/O. + "strconv.ParseFloat", // 🟢 string-to-float conversion; pure function, no I/O. + "strconv.ParseInt", // 🟢 string-to-int conversion with base/bit-size; pure function, no I/O. + "strconv.ParseUint", // 🟢 string-to-unsigned-int conversion; pure function, no I/O. + "strings.Builder", // 🟢 efficient string concatenation; pure in-memory buffer, no I/O. + "strings.Contains", // 🟢 substring search; pure function, no I/O. + "strings.ContainsRune", // 🟢 checks if a rune is in a string; pure function, no I/O. + "strings.Fields", // 🟢 splits a string on whitespace into a slice; pure function, no I/O. + "strings.HasPrefix", // 🟢 pure function for prefix matching; no I/O. + "strings.IndexByte", // 🟢 finds byte in string; pure function, no I/O. + "strings.Join", // 🟢 concatenates a slice of strings with a separator; pure function, no I/O. + "strings.ReplaceAll", // 🟢 replaces all occurrences of a substring; pure function, no I/O. + "strings.Split", // 🟢 splits a string by separator into a slice; pure function, no I/O. + "strings.ToLower", // 🟢 converts string to lowercase; pure function, no I/O. + "strings.ToUpper", // 🟢 converts string to uppercase; pure function, no I/O. + "strings.TrimSpace", // 🟢 removes leading/trailing whitespace; pure function. + "syscall.ByHandleFileInformation", // 🟢 Windows file info struct for extracting nlink; read-only type, no I/O. + "syscall.EACCES", // 🟢 POSIX errno constant for permission denied; pure constant, no I/O. + "syscall.EISDIR", // 🟢 error number constant for "is a directory"; pure constant, no I/O. + "syscall.EPERM", // 🟢 POSIX errno constant for operation not permitted; pure constant, no I/O. + "syscall.EPROTONOSUPPORT", // 🟢 POSIX errno constant for protocol not supported; pure constant, no I/O. + "syscall.ENOENT", // 🟢 error constant for "no such file or directory"; pure constant, no I/O. + "syscall.Errno", // 🟢 error type for system call error numbers; pure type, no I/O. + "syscall.GetFileInformationByHandle", // 🟠 Windows API to query file metadata by handle; read-only, no I/O side effects. + "syscall.Handle", // 🟢 Windows file handle type; pure type alias, no I/O. + "syscall.Stat_t", // 🟢 file stat struct for extracting UID/GID/nlink; read-only type, no I/O. + "time.Duration", // 🟢 duration type; pure integer alias, no I/O. + "time.Hour", // 🟢 constant representing one hour; no side effects. + "time.Millisecond", // 🟢 constant representing one millisecond; no side effects. + "time.Minute", // 🟢 constant representing one minute; no side effects. + "time.ParseDuration", // 🟢 parses Go duration strings (e.g. "1s"); pure function, no I/O. + "time.Second", // 🟢 constant representing one second; no side effects. + "time.Time", // 🟢 time value type; pure data, no side effects. + "unicode.Cc", // 🟢 control character category range table; pure data, no I/O. + "unicode.Cf", // 🟢 format character category range table; pure data, no I/O. + "unicode.Co", // 🟢 private-use character category range table; pure data, no I/O. + "unicode.Is", // 🟢 checks if rune belongs to a range table; pure function, no I/O. + "unicode.IsGraphic", // 🟢 reports whether rune is defined as a graphic character; pure function, no I/O. + "unicode.Me", // 🟢 enclosing mark category range table; pure data, no I/O. + "unicode.Mn", // 🟢 nonspacing mark category range table; pure data, no I/O. + "unicode.Range16", // 🟢 struct type for 16-bit Unicode ranges; pure data. + "unicode.Range32", // 🟢 struct type for 32-bit Unicode ranges; pure data. + "unicode.RangeTable", // 🟢 struct type for Unicode range tables; pure data. + "unicode.Zs", // 🟢 Unicode space separator category range table; pure data, no I/O. + "unicode/utf8.DecodeRune", // 🟢 decodes first UTF-8 rune from a byte slice; pure function, no I/O. + "unicode/utf8.DecodeRuneInString", // 🟢 decodes first UTF-8 rune from a string; pure function, no I/O. + "unicode/utf8.RuneError", // 🟢 replacement character returned for invalid UTF-8; constant, no I/O. + "unicode/utf8.UTFMax", // 🟢 maximum number of bytes in a UTF-8 encoding; constant, no I/O. + "unicode/utf8.Valid", // 🟢 checks if a byte slice is valid UTF-8; pure function, no I/O. } diff --git a/allowedsymbols/symbols_internal.go b/allowedsymbols/symbols_internal.go index 3a038475..2d8106b5 100644 --- a/allowedsymbols/symbols_internal.go +++ b/allowedsymbols/symbols_internal.go @@ -10,53 +10,53 @@ package allowedsymbols // internalAllowedSymbols (which acts as the global ceiling). var internalPerPackageSymbols = map[string][]string{ "loopctl": { - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. }, "procinfo": { - "bufio.NewScanner", // line-by-line reading of /proc files; no write capability. - "bytes.NewReader", // wraps a byte slice as an in-memory io.Reader; no I/O side effects. - "context.Context", // deadline/cancellation interface; no side effects. - "errors.New", // creates a sentinel error (unsupported-platform stub); pure function, no I/O. - "fmt.Errorf", // error formatting; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "os.Getpid", // returns the current process ID; read-only, no side effects. - "os.Open", // opens a file read-only; needed to stream /proc/stat line-by-line. - "os.ReadDir", // reads a directory listing; needed to enumerate /proc entries. - "os.ReadFile", // reads a whole file; needed to read /proc/[pid]/{stat,cmdline,status}. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strconv.ParseInt", // string to int64 with base/bit-size; pure function, no I/O. - "strings.Fields", // splits a string on whitespace; pure function, no I/O. - "strings.HasPrefix", // checks string prefix; pure function, no I/O. - "strings.Index", // finds first occurrence of a substring; pure function, no I/O. - "strings.LastIndex", // finds last occurrence of a substring; pure function, no I/O. - "strings.TrimRight", // trims trailing characters; pure function, no I/O. - "strings.TrimSpace", // removes leading/trailing whitespace; pure function, no I/O. - "syscall.Getsid", // returns the session ID of a process; read-only syscall, no write/exec. - "time.Now", // returns the current wall-clock time; read-only, no side effects. - "time.Unix", // constructs a Time from Unix seconds; pure function, no I/O. - "golang.org/x/sys/unix.KinfoProc", // (darwin) struct type carrying per-process kinfo_proc data from sysctl; read-only data, no exec capability. - "golang.org/x/sys/unix.SysctlKinfoProc", // (darwin) reads a single process's kinfo_proc via kern.proc.pid sysctl; read-only, no exec or write capability. - "golang.org/x/sys/unix.SysctlKinfoProcSlice", // (darwin) reads all processes' kinfo_proc via kern.proc.all sysctl; read-only, no exec or write capability. - "golang.org/x/sys/unix.SysctlRaw", // (darwin) reads raw kern.procargs2 sysctl buffer per-PID to obtain argv; read-only, no exec capability. - "golang.org/x/sys/windows.CloseHandle", // (windows) closes a process-snapshot handle after enumeration; no data read or exec capability. - "golang.org/x/sys/windows.CreateToolhelp32Snapshot", // (windows) creates a read-only snapshot of the process table; no exec or write capability. - "golang.org/x/sys/windows.ERROR_NO_MORE_FILES", // (windows) sentinel error indicating end of process enumeration; pure constant. - "golang.org/x/sys/windows.Process32First", // (windows) reads the first entry from a process snapshot; read-only, no exec capability. - "golang.org/x/sys/windows.Process32Next", // (windows) advances to the next entry in a process snapshot; read-only, no exec capability. - "golang.org/x/sys/windows.ProcessEntry32", // (windows) struct type holding process snapshot entry data; pure data type, no I/O. - "golang.org/x/sys/windows.TH32CS_SNAPPROCESS", // (windows) flag constant selecting process entries for CreateToolhelp32Snapshot; pure constant. - "golang.org/x/sys/windows.UTF16ToString", // (windows) converts a null-terminated UTF-16 slice to a Go string; pure function, no I/O. + "bufio.NewScanner", // 🟢 line-by-line reading of /proc files; no write capability. + "bytes.NewReader", // 🟢 wraps a byte slice as an in-memory io.Reader; no I/O side effects. + "context.Context", // 🟢 deadline/cancellation interface; no side effects. + "errors.New", // 🟢 creates a sentinel error (unsupported-platform stub); pure function, no I/O. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "os.Getpid", // 🟠 returns the current process ID; read-only, no side effects. + "os.Open", // 🟠 opens a file read-only; needed to stream /proc/stat line-by-line. + "os.ReadDir", // 🟠 reads a directory listing; needed to enumerate /proc entries. + "os.ReadFile", // 🟠 reads a whole file; needed to read /proc/[pid]/{stat,cmdline,status}. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strconv.ParseInt", // 🟢 string to int64 with base/bit-size; pure function, no I/O. + "strings.Fields", // 🟢 splits a string on whitespace; pure function, no I/O. + "strings.HasPrefix", // 🟢 checks string prefix; pure function, no I/O. + "strings.Index", // 🟢 finds first occurrence of a substring; pure function, no I/O. + "strings.LastIndex", // 🟢 finds last occurrence of a substring; pure function, no I/O. + "strings.TrimRight", // 🟢 trims trailing characters; pure function, no I/O. + "strings.TrimSpace", // 🟢 removes leading/trailing whitespace; pure function, no I/O. + "syscall.Getsid", // 🟠 returns the session ID of a process; read-only syscall, no write/exec. + "time.Now", // 🟠 returns the current wall-clock time; read-only, no side effects. + "time.Unix", // 🟢 constructs a Time from Unix seconds; pure function, no I/O. + "golang.org/x/sys/unix.KinfoProc", // 🟢 (darwin) struct type carrying per-process kinfo_proc data from sysctl; read-only data, no exec capability. + "golang.org/x/sys/unix.SysctlKinfoProc", // 🟠 (darwin) reads a single process's kinfo_proc via kern.proc.pid sysctl; read-only, no exec or write capability. + "golang.org/x/sys/unix.SysctlKinfoProcSlice", // 🟠 (darwin) reads all processes' kinfo_proc via kern.proc.all sysctl; read-only, no exec or write capability. + "golang.org/x/sys/unix.SysctlRaw", // 🟠 (darwin) reads raw kern.procargs2 sysctl buffer per-PID to obtain argv; read-only, no exec capability. + "golang.org/x/sys/windows.CloseHandle", // 🟠 (windows) closes a process-snapshot handle after enumeration; no data read or exec capability. + "golang.org/x/sys/windows.CreateToolhelp32Snapshot", // 🟠 (windows) creates a read-only snapshot of the process table; no exec or write capability. + "golang.org/x/sys/windows.ERROR_NO_MORE_FILES", // 🟢 (windows) sentinel error indicating end of process enumeration; pure constant. + "golang.org/x/sys/windows.Process32First", // 🟠 (windows) reads the first entry from a process snapshot; read-only, no exec capability. + "golang.org/x/sys/windows.Process32Next", // 🟠 (windows) advances to the next entry in a process snapshot; read-only, no exec capability. + "golang.org/x/sys/windows.ProcessEntry32", // 🟢 (windows) struct type holding process snapshot entry data; pure data type, no I/O. + "golang.org/x/sys/windows.TH32CS_SNAPPROCESS", // 🟢 (windows) flag constant selecting process entries for CreateToolhelp32Snapshot; pure constant. + "golang.org/x/sys/windows.UTF16ToString", // 🟢 (windows) converts a null-terminated UTF-16 slice to a Go string; pure function, no I/O. }, "winnet": { - "encoding/binary.BigEndian", // reads big-endian IPv6 group values from DLL buffer; pure value, no I/O. - "encoding/binary.LittleEndian", // reads little-endian DWORD fields from DLL buffer; pure value, no I/O. - "errors.New", // creates a sentinel error (non-Windows stub); pure function, no I/O. - "fmt.Errorf", // error formatting; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "syscall.Errno", // wraps DLL return code as an error type; pure type, no I/O. - "syscall.MustLoadDLL", // loads iphlpapi.dll once at program init; read-only OS loader call. - "syscall.Proc", // DLL procedure handle type used in function signature; pure type, no I/O. - "unsafe.Pointer", // passes buffer/size pointers to DLL via syscall ABI. No pointer arithmetic; buffer parsed with encoding/binary after the call. + "encoding/binary.BigEndian", // 🟢 reads big-endian IPv6 group values from DLL buffer; pure value, no I/O. + "encoding/binary.LittleEndian", // 🟢 reads little-endian DWORD fields from DLL buffer; pure value, no I/O. + "errors.New", // 🟢 creates a sentinel error (non-Windows stub); pure function, no I/O. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "syscall.Errno", // 🟢 wraps DLL return code as an error type; pure type, no I/O. + "syscall.MustLoadDLL", // 🔴 loads iphlpapi.dll once at program init; read-only OS loader call. + "syscall.Proc", // 🟢 DLL procedure handle type used in function signature; pure type, no I/O. + "unsafe.Pointer", // 🔴 passes buffer/size pointers to DLL via syscall ABI. No pointer arithmetic; buffer parsed with encoding/binary after the call. }, } @@ -71,43 +71,43 @@ var internalPerPackageSymbols = map[string][]string{ // via iphlpapi.dll. Usage is limited to two call sites; no unsafe pointer // arithmetic occurs after the DLL call. All buffer parsing uses encoding/binary. var internalAllowedSymbols = []string{ - "bufio.NewScanner", // procinfo: line-by-line reading of /proc files; no write capability. - "bytes.NewReader", // procinfo: wraps a byte slice as an in-memory io.Reader; no I/O side effects. - "context.Context", // procinfo: deadline/cancellation interface; no side effects. - "encoding/binary.BigEndian", // winnet: reads big-endian IPv6 group values from DLL buffer; pure value, no I/O. - "encoding/binary.LittleEndian", // winnet: reads little-endian DWORD fields from DLL buffer; pure value, no I/O. - "errors.New", // creates a sentinel error; pure function, no I/O. - "fmt.Errorf", // error formatting; pure function, no I/O. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "os.Getpid", // procinfo: returns the current process ID; read-only, no side effects. - "os.Open", // procinfo: opens a file read-only; needed to stream /proc/stat line-by-line. - "os.ReadDir", // procinfo: reads a directory listing; needed to enumerate /proc entries. - "os.ReadFile", // procinfo: reads a whole file; needed to read /proc/[pid]/{stat,cmdline,status}. - "strconv.Atoi", // string-to-int conversion; pure function, no I/O. - "strconv.ParseInt", // procinfo: string to int64 with base/bit-size; pure function, no I/O. - "strings.Fields", // procinfo: splits a string on whitespace; pure function, no I/O. - "strings.HasPrefix", // procinfo: checks string prefix; pure function, no I/O. - "strings.Index", // procinfo: finds first occurrence of a substring; pure function, no I/O. - "strings.LastIndex", // procinfo: finds last occurrence of a substring; pure function, no I/O. - "strings.TrimRight", // procinfo: trims trailing characters; pure function, no I/O. - "strings.TrimSpace", // procinfo: removes leading/trailing whitespace; pure function, no I/O. - "syscall.Errno", // winnet: wraps DLL return code as an error type; pure type, no I/O. - "syscall.Getsid", // procinfo: returns the session ID of a process; read-only syscall, no write/exec. - "syscall.MustLoadDLL", // winnet: loads iphlpapi.dll once at program init; read-only OS loader call. - "syscall.Proc", // winnet: DLL procedure handle type used in function signature; pure type, no I/O. - "time.Now", // procinfo: returns the current wall-clock time; read-only, no side effects. - "time.Unix", // procinfo: constructs a Time from Unix seconds; pure function, no I/O. - "unsafe.Pointer", // winnet: passes buffer/size pointers to DLL via syscall ABI. No pointer arithmetic; buffer parsed with encoding/binary after the call. - "golang.org/x/sys/unix.KinfoProc", // procinfo (darwin): struct type carrying per-process kinfo_proc data from sysctl; read-only data, no exec capability. - "golang.org/x/sys/unix.SysctlKinfoProc", // procinfo (darwin): reads a single process's kinfo_proc via kern.proc.pid sysctl; read-only, no exec or write capability. - "golang.org/x/sys/unix.SysctlKinfoProcSlice", // procinfo (darwin): reads all processes' kinfo_proc via kern.proc.all sysctl; read-only, no exec or write capability. - "golang.org/x/sys/unix.SysctlRaw", // procinfo (darwin): reads raw kern.procargs2 sysctl buffer per-PID to obtain argv; read-only, no exec capability. - "golang.org/x/sys/windows.CloseHandle", // procinfo (windows): closes a process-snapshot handle after enumeration; no data read or exec capability. - "golang.org/x/sys/windows.CreateToolhelp32Snapshot", // procinfo (windows): creates a read-only snapshot of the process table; no exec or write capability. - "golang.org/x/sys/windows.ERROR_NO_MORE_FILES", // procinfo (windows): sentinel error indicating end of process enumeration; pure constant. - "golang.org/x/sys/windows.Process32First", // procinfo (windows): reads the first entry from a process snapshot; read-only, no exec capability. - "golang.org/x/sys/windows.Process32Next", // procinfo (windows): advances to the next entry in a process snapshot; read-only, no exec capability. - "golang.org/x/sys/windows.ProcessEntry32", // procinfo (windows): struct type holding process snapshot entry data; pure data type, no I/O. - "golang.org/x/sys/windows.TH32CS_SNAPPROCESS", // procinfo (windows): flag constant selecting process entries for CreateToolhelp32Snapshot; pure constant. - "golang.org/x/sys/windows.UTF16ToString", // procinfo (windows): converts a null-terminated UTF-16 slice to a Go string; pure function, no I/O. + "bufio.NewScanner", // 🟢 procinfo: line-by-line reading of /proc files; no write capability. + "bytes.NewReader", // 🟢 procinfo: wraps a byte slice as an in-memory io.Reader; no I/O side effects. + "context.Context", // 🟢 procinfo: deadline/cancellation interface; no side effects. + "encoding/binary.BigEndian", // 🟢 winnet: reads big-endian IPv6 group values from DLL buffer; pure value, no I/O. + "encoding/binary.LittleEndian", // 🟢 winnet: reads little-endian DWORD fields from DLL buffer; pure value, no I/O. + "errors.New", // 🟢 creates a sentinel error; pure function, no I/O. + "fmt.Errorf", // 🟢 error formatting; pure function, no I/O. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "os.Getpid", // 🟠 procinfo: returns the current process ID; read-only, no side effects. + "os.Open", // 🟠 procinfo: opens a file read-only; needed to stream /proc/stat line-by-line. + "os.ReadDir", // 🟠 procinfo: reads a directory listing; needed to enumerate /proc entries. + "os.ReadFile", // 🟠 procinfo: reads a whole file; needed to read /proc/[pid]/{stat,cmdline,status}. + "strconv.Atoi", // 🟢 string-to-int conversion; pure function, no I/O. + "strconv.ParseInt", // 🟢 procinfo: string to int64 with base/bit-size; pure function, no I/O. + "strings.Fields", // 🟢 procinfo: splits a string on whitespace; pure function, no I/O. + "strings.HasPrefix", // 🟢 procinfo: checks string prefix; pure function, no I/O. + "strings.Index", // 🟢 procinfo: finds first occurrence of a substring; pure function, no I/O. + "strings.LastIndex", // 🟢 procinfo: finds last occurrence of a substring; pure function, no I/O. + "strings.TrimRight", // 🟢 procinfo: trims trailing characters; pure function, no I/O. + "strings.TrimSpace", // 🟢 procinfo: removes leading/trailing whitespace; pure function, no I/O. + "syscall.Errno", // 🟢 winnet: wraps DLL return code as an error type; pure type, no I/O. + "syscall.Getsid", // 🟠 procinfo: returns the session ID of a process; read-only syscall, no write/exec. + "syscall.MustLoadDLL", // 🔴 winnet: loads iphlpapi.dll once at program init; read-only OS loader call. + "syscall.Proc", // 🟢 winnet: DLL procedure handle type used in function signature; pure type, no I/O. + "time.Now", // 🟠 procinfo: returns the current wall-clock time; read-only, no side effects. + "time.Unix", // 🟢 procinfo: constructs a Time from Unix seconds; pure function, no I/O. + "unsafe.Pointer", // 🔴 winnet: passes buffer/size pointers to DLL via syscall ABI. No pointer arithmetic; buffer parsed with encoding/binary after the call. + "golang.org/x/sys/unix.KinfoProc", // 🟢 procinfo (darwin): struct type carrying per-process kinfo_proc data from sysctl; read-only data, no exec capability. + "golang.org/x/sys/unix.SysctlKinfoProc", // 🟠 procinfo (darwin): reads a single process's kinfo_proc via kern.proc.pid sysctl; read-only, no exec or write capability. + "golang.org/x/sys/unix.SysctlKinfoProcSlice", // 🟠 procinfo (darwin): reads all processes' kinfo_proc via kern.proc.all sysctl; read-only, no exec or write capability. + "golang.org/x/sys/unix.SysctlRaw", // 🟠 procinfo (darwin): reads raw kern.procargs2 sysctl buffer per-PID to obtain argv; read-only, no exec capability. + "golang.org/x/sys/windows.CloseHandle", // 🟠 procinfo (windows): closes a process-snapshot handle after enumeration; no data read or exec capability. + "golang.org/x/sys/windows.CreateToolhelp32Snapshot", // 🟠 procinfo (windows): creates a read-only snapshot of the process table; no exec or write capability. + "golang.org/x/sys/windows.ERROR_NO_MORE_FILES", // 🟢 procinfo (windows): sentinel error indicating end of process enumeration; pure constant. + "golang.org/x/sys/windows.Process32First", // 🟠 procinfo (windows): reads the first entry from a process snapshot; read-only, no exec capability. + "golang.org/x/sys/windows.Process32Next", // 🟠 procinfo (windows): advances to the next entry in a process snapshot; read-only, no exec capability. + "golang.org/x/sys/windows.ProcessEntry32", // 🟢 procinfo (windows): struct type holding process snapshot entry data; pure data type, no I/O. + "golang.org/x/sys/windows.TH32CS_SNAPPROCESS", // 🟢 procinfo (windows): flag constant selecting process entries for CreateToolhelp32Snapshot; pure constant. + "golang.org/x/sys/windows.UTF16ToString", // 🟢 procinfo (windows): converts a null-terminated UTF-16 slice to a Go string; pure function, no I/O. } diff --git a/allowedsymbols/symbols_interp.go b/allowedsymbols/symbols_interp.go index ce72c6c9..d86d235c 100644 --- a/allowedsymbols/symbols_interp.go +++ b/allowedsymbols/symbols_interp.go @@ -17,117 +17,117 @@ package allowedsymbols // // The permanently banned packages (reflect, unsafe) apply here too. var interpAllowedSymbols = []string{ - "bytes.Buffer", // in-memory byte buffer; pure data structure, no I/O. - "context.Context", // deadline/cancellation plumbing; pure interface, no side effects. - "context.WithValue", // derives a context carrying a key-value pair; pure function. - "errors.As", // error type assertion; pure function, no I/O. - "fmt.Errorf", // formatted error creation; pure function, no I/O. - "fmt.Fprintf", // formatted write to an io.Writer; delegates to Write, no filesystem access. - "fmt.Fprintln", // writes to an io.Writer with newline; delegates to Write, no filesystem access. - "fmt.Sprintf", // string formatting; pure function, no I/O. - "io.Closer", // interface type for closing; no side effects. - "io.Copy", // copies from Reader to Writer; no filesystem access, delegates to Read/Write. - "io.Discard", // write sink that discards all data; no side effects. - "io.LimitReader", // wraps a Reader with a byte cap; pure function, no I/O. - "io.Reader", // interface type for reading; no side effects. - "io.ReadWriteCloser", // combined interface type; no side effects. - "io.Writer", // interface type for writing; no side effects. - "io/fs.DirEntry", // interface type for directory entries; no side effects. - "io/fs.FileInfo", // interface type for file metadata; no side effects. - "io/fs.ReadDirFile", // read-only directory handle interface; no write capability. - "maps.Insert", // inserts all key-value pairs from one map into another; pure function. - "os.DirEntry", // type alias for fs.DirEntry; no side effects. - "os.File", // file handle type; interpreter needs file I/O for redirects and pipes. - "os.FileMode", // file permission bits type; pure type. - "os.Getwd", // returns current working directory; read-only. - "os.O_RDONLY", // read-only file flag constant; pure constant. - "os.PathError", // error type wrapping path and operation; pure type. - "os.Pipe", // creates an OS pipe pair; needed for shell pipelines. - "path/filepath.IsAbs", // checks if path is absolute; pure function, no I/O. - "path/filepath.Join", // joins path elements; pure function, no I/O. - "runtime.GOOS", // current OS name constant; pure constant, no I/O. - "strconv.Itoa", // int-to-string conversion; pure function, no I/O. - "strings.Builder", // efficient string concatenation; pure in-memory buffer, no I/O. - "strings.ContainsRune", // checks if a rune is in a string; pure function, no I/O. - "strings.Index", // finds substring index; pure function, no I/O. - "strings.HasPrefix", // pure function for prefix matching; no I/O. - "strings.HasSuffix", // pure function for suffix matching; no I/O. - "strings.Split", // splits a string by separator; pure function, no I/O. - "strings.ToUpper", // converts string to uppercase; pure function, no I/O. - "strings.TrimLeft", // trims leading characters; pure function, no I/O. - "sync.Mutex", // mutual exclusion lock; concurrency primitive, no I/O. - "sync.Once", // ensures a function runs exactly once; concurrency primitive, no I/O. - "sync.WaitGroup", // waits for goroutines to finish; concurrency primitive, no I/O. - "time.Now", // returns current time; read-only, no mutation. - "time.Time", // time value type; pure data, no side effects. + "bytes.Buffer", // 🟢 in-memory byte buffer; pure data structure, no I/O. + "context.Context", // 🟢 deadline/cancellation plumbing; pure interface, no side effects. + "context.WithValue", // 🟢 derives a context carrying a key-value pair; pure function. + "errors.As", // 🟢 error type assertion; pure function, no I/O. + "fmt.Errorf", // 🟢 formatted error creation; pure function, no I/O. + "fmt.Fprintf", // 🟠 formatted write to an io.Writer; delegates to Write, no filesystem access. + "fmt.Fprintln", // 🟠 writes to an io.Writer with newline; delegates to Write, no filesystem access. + "fmt.Sprintf", // 🟢 string formatting; pure function, no I/O. + "io.Closer", // 🟢 interface type for closing; no side effects. + "io.Copy", // 🟠 copies from Reader to Writer; no filesystem access, delegates to Read/Write. + "io.Discard", // 🟢 write sink that discards all data; no side effects. + "io.LimitReader", // 🟢 wraps a Reader with a byte cap; pure function, no I/O. + "io.Reader", // 🟢 interface type for reading; no side effects. + "io.ReadWriteCloser", // 🟢 combined interface type; no side effects. + "io.Writer", // 🟢 interface type for writing; no side effects. + "io/fs.DirEntry", // 🟢 interface type for directory entries; no side effects. + "io/fs.FileInfo", // 🟢 interface type for file metadata; no side effects. + "io/fs.ReadDirFile", // 🟢 read-only directory handle interface; no write capability. + "maps.Insert", // 🟢 inserts all key-value pairs from one map into another; pure function. + "os.DirEntry", // 🟢 type alias for fs.DirEntry; no side effects. + "os.File", // 🟠 file handle type; interpreter needs file I/O for redirects and pipes. + "os.FileMode", // 🟢 file permission bits type; pure type. + "os.Getwd", // 🟠 returns current working directory; read-only. + "os.O_RDONLY", // 🟢 read-only file flag constant; pure constant. + "os.PathError", // 🟢 error type wrapping path and operation; pure type. + "os.Pipe", // 🟠 creates an OS pipe pair; needed for shell pipelines. + "path/filepath.IsAbs", // 🟢 checks if path is absolute; pure function, no I/O. + "path/filepath.Join", // 🟢 joins path elements; pure function, no I/O. + "runtime.GOOS", // 🟢 current OS name constant; pure constant, no I/O. + "strconv.Itoa", // 🟢 int-to-string conversion; pure function, no I/O. + "strings.Builder", // 🟢 efficient string concatenation; pure in-memory buffer, no I/O. + "strings.ContainsRune", // 🟢 checks if a rune is in a string; pure function, no I/O. + "strings.Index", // 🟢 finds substring index; pure function, no I/O. + "strings.HasPrefix", // 🟢 pure function for prefix matching; no I/O. + "strings.HasSuffix", // 🟢 pure function for suffix matching; no I/O. + "strings.Split", // 🟢 splits a string by separator; pure function, no I/O. + "strings.ToUpper", // 🟢 converts string to uppercase; pure function, no I/O. + "strings.TrimLeft", // 🟢 trims leading characters; pure function, no I/O. + "sync.Mutex", // 🟢 mutual exclusion lock; concurrency primitive, no I/O. + "sync.Once", // 🟢 ensures a function runs exactly once; concurrency primitive, no I/O. + "sync.WaitGroup", // 🟢 waits for goroutines to finish; concurrency primitive, no I/O. + "time.Now", // 🟠 returns current time; read-only, no mutation. + "time.Time", // 🟢 time value type; pure data, no side effects. // --- mvdan.cc/sh/v3/expand --- (shell word expansion library) - "mvdan.cc/sh/v3/expand.Config", // configuration for word expansion; pure type. - "mvdan.cc/sh/v3/expand.Document", // expands a here-document; pure function. - "mvdan.cc/sh/v3/expand.Environ", // interface for environment variable access; pure interface. - "mvdan.cc/sh/v3/expand.Fields", // expands words into fields (splitting, globbing); core expansion. - "mvdan.cc/sh/v3/expand.KeepValue", // sentinel for variable expansion; pure constant. - "mvdan.cc/sh/v3/expand.ListEnviron", // converts string slice to Environ; pure function. - "mvdan.cc/sh/v3/expand.Literal", // expands a word to a single literal string; pure function. - "mvdan.cc/sh/v3/expand.String", // expands a word to a string; pure function. - "mvdan.cc/sh/v3/expand.UnexpectedCommandError", // error for unexpected command substitution in restricted mode; pure type. - "mvdan.cc/sh/v3/expand.UnsetParameterError", // error for unset parameter expansion; pure type. - "mvdan.cc/sh/v3/expand.Variable", // represents a shell variable; pure type. - "mvdan.cc/sh/v3/expand.WriteEnviron", // interface for setting environment variables; pure interface. + "mvdan.cc/sh/v3/expand.Config", // 🟢 configuration for word expansion; pure type. + "mvdan.cc/sh/v3/expand.Document", // 🟢 expands a here-document; pure function. + "mvdan.cc/sh/v3/expand.Environ", // 🟢 interface for environment variable access; pure interface. + "mvdan.cc/sh/v3/expand.Fields", // 🟢 expands words into fields (splitting, globbing); core expansion. + "mvdan.cc/sh/v3/expand.KeepValue", // 🟢 sentinel for variable expansion; pure constant. + "mvdan.cc/sh/v3/expand.ListEnviron", // 🟢 converts string slice to Environ; pure function. + "mvdan.cc/sh/v3/expand.Literal", // 🟢 expands a word to a single literal string; pure function. + "mvdan.cc/sh/v3/expand.String", // 🟢 expands a word to a string; pure function. + "mvdan.cc/sh/v3/expand.UnexpectedCommandError", // 🟢 error for unexpected command substitution in restricted mode; pure type. + "mvdan.cc/sh/v3/expand.UnsetParameterError", // 🟢 error for unset parameter expansion; pure type. + "mvdan.cc/sh/v3/expand.Variable", // 🟢 represents a shell variable; pure type. + "mvdan.cc/sh/v3/expand.WriteEnviron", // 🟢 interface for setting environment variables; pure interface. // --- mvdan.cc/sh/v3/syntax --- (shell AST types and utilities) - "mvdan.cc/sh/v3/syntax.AndStmt", // AST node for && operator; pure type. - "mvdan.cc/sh/v3/syntax.AppAll", // redirect operator constant (&>>); pure constant. - "mvdan.cc/sh/v3/syntax.AppOut", // redirect operator constant (>>); pure constant. - "mvdan.cc/sh/v3/syntax.ArithmCmd", // AST node for (( )) arithmetic command; pure type. - "mvdan.cc/sh/v3/syntax.ArithmExp", // AST node for $(( )) arithmetic expansion; pure type. - "mvdan.cc/sh/v3/syntax.ArithmExpr", // AST interface for arithmetic expressions; pure interface. - "mvdan.cc/sh/v3/syntax.Assign", // AST node for variable assignment; pure type. - "mvdan.cc/sh/v3/syntax.BinaryCmd", // AST node for binary command (&&, ||, |); pure type. - "mvdan.cc/sh/v3/syntax.Block", // AST node for { } command group; pure type. - "mvdan.cc/sh/v3/syntax.CallExpr", // AST node for simple command call; pure type. - "mvdan.cc/sh/v3/syntax.CaseClause", // AST node for case statement; pure type. - "mvdan.cc/sh/v3/syntax.ClbOut", // redirect operator constant (>|); pure constant. - "mvdan.cc/sh/v3/syntax.CmdSubst", // AST node for $() command substitution; pure type. - "mvdan.cc/sh/v3/syntax.Command", // AST interface for all command types; pure interface. - "mvdan.cc/sh/v3/syntax.CoprocClause", // AST node for coproc command; pure type. - "mvdan.cc/sh/v3/syntax.DashHdoc", // here-doc operator constant (<<-); pure constant. - "mvdan.cc/sh/v3/syntax.DblQuoted", // AST node for double-quoted string; pure type. - "mvdan.cc/sh/v3/syntax.DeclClause", // AST node for declare/local/export; pure type. - "mvdan.cc/sh/v3/syntax.DplIn", // redirect operator constant (<&); pure constant. - "mvdan.cc/sh/v3/syntax.DplOut", // redirect operator constant (>&); pure constant. - "mvdan.cc/sh/v3/syntax.ExtGlob", // AST node for extended glob pattern; pure type. - "mvdan.cc/sh/v3/syntax.File", // AST root node for a parsed shell script; pure type. - "mvdan.cc/sh/v3/syntax.ForClause", // AST node for for loop; pure type. - "mvdan.cc/sh/v3/syntax.FuncDecl", // AST node for function declaration; pure type. - "mvdan.cc/sh/v3/syntax.Hdoc", // here-doc operator constant (<<); pure constant. - "mvdan.cc/sh/v3/syntax.IfClause", // AST node for if statement; pure type. - "mvdan.cc/sh/v3/syntax.LetClause", // AST node for let command; pure type. - "mvdan.cc/sh/v3/syntax.Lit", // AST node for literal string; pure type. - "mvdan.cc/sh/v3/syntax.Node", // AST interface for all nodes; pure interface. - "mvdan.cc/sh/v3/syntax.OrStmt", // AST node for || operator; pure type. - "mvdan.cc/sh/v3/syntax.ParamExp", // AST node for ${} parameter expansion; pure type. - "mvdan.cc/sh/v3/syntax.Pipe", // AST node for pipeline; pure type. - "mvdan.cc/sh/v3/syntax.PipeAll", // redirect operator constant (|&); pure constant. - "mvdan.cc/sh/v3/syntax.Pos", // source position type; pure type. - "mvdan.cc/sh/v3/syntax.ProcSubst", // AST node for process substitution; pure type. - "mvdan.cc/sh/v3/syntax.RdrAll", // redirect operator constant (&>); pure constant. - "mvdan.cc/sh/v3/syntax.RdrIn", // redirect operator constant (<); pure constant. - "mvdan.cc/sh/v3/syntax.RdrInOut", // redirect operator constant (<>); pure constant. - "mvdan.cc/sh/v3/syntax.RdrOut", // redirect operator constant (>); pure constant. - "mvdan.cc/sh/v3/syntax.Redirect", // AST node for I/O redirection; pure type. - "mvdan.cc/sh/v3/syntax.SglQuoted", // AST node for single-quoted string; pure type. - "mvdan.cc/sh/v3/syntax.Stmt", // AST node for a complete statement; pure type. - "mvdan.cc/sh/v3/syntax.Subshell", // AST node for ( ) subshell; pure type. - "mvdan.cc/sh/v3/syntax.TestClause", // AST node for [[ ]] test command; pure type. - "mvdan.cc/sh/v3/syntax.TestDecl", // AST node for test declaration; pure type. - "mvdan.cc/sh/v3/syntax.TimeClause", // AST node for time command; pure type. - "mvdan.cc/sh/v3/syntax.Walk", // traverses the AST; pure function, no I/O. - "mvdan.cc/sh/v3/syntax.WhileClause", // AST node for while/until loop; pure type. - "mvdan.cc/sh/v3/syntax.Word", // AST node for a shell word; pure type. - "mvdan.cc/sh/v3/syntax.WordHdoc", // redirect operator constant (<<<); pure constant. - "mvdan.cc/sh/v3/syntax.WordIter", // AST node for word iteration (for-in); pure type. - "mvdan.cc/sh/v3/syntax.WordPart", // AST interface for word components; pure interface. + "mvdan.cc/sh/v3/syntax.AndStmt", // 🟢 AST node for && operator; pure type. + "mvdan.cc/sh/v3/syntax.AppAll", // 🟢 redirect operator constant (&>>); pure constant. + "mvdan.cc/sh/v3/syntax.AppOut", // 🟢 redirect operator constant (>>); pure constant. + "mvdan.cc/sh/v3/syntax.ArithmCmd", // 🟢 AST node for (( )) arithmetic command; pure type. + "mvdan.cc/sh/v3/syntax.ArithmExp", // 🟢 AST node for $(( )) arithmetic expansion; pure type. + "mvdan.cc/sh/v3/syntax.ArithmExpr", // 🟢 AST interface for arithmetic expressions; pure interface. + "mvdan.cc/sh/v3/syntax.Assign", // 🟢 AST node for variable assignment; pure type. + "mvdan.cc/sh/v3/syntax.BinaryCmd", // 🟢 AST node for binary command (&&, ||, |); pure type. + "mvdan.cc/sh/v3/syntax.Block", // 🟢 AST node for { } command group; pure type. + "mvdan.cc/sh/v3/syntax.CallExpr", // 🟢 AST node for simple command call; pure type. + "mvdan.cc/sh/v3/syntax.CaseClause", // 🟢 AST node for case statement; pure type. + "mvdan.cc/sh/v3/syntax.ClbOut", // 🟢 redirect operator constant (>|); pure constant. + "mvdan.cc/sh/v3/syntax.CmdSubst", // 🟢 AST node for $() command substitution; pure type. + "mvdan.cc/sh/v3/syntax.Command", // 🟢 AST interface for all command types; pure interface. + "mvdan.cc/sh/v3/syntax.CoprocClause", // 🟢 AST node for coproc command; pure type. + "mvdan.cc/sh/v3/syntax.DashHdoc", // 🟢 here-doc operator constant (<<-); pure constant. + "mvdan.cc/sh/v3/syntax.DblQuoted", // 🟢 AST node for double-quoted string; pure type. + "mvdan.cc/sh/v3/syntax.DeclClause", // 🟢 AST node for declare/local/export; pure type. + "mvdan.cc/sh/v3/syntax.DplIn", // 🟢 redirect operator constant (<&); pure constant. + "mvdan.cc/sh/v3/syntax.DplOut", // 🟢 redirect operator constant (>&); pure constant. + "mvdan.cc/sh/v3/syntax.ExtGlob", // 🟢 AST node for extended glob pattern; pure type. + "mvdan.cc/sh/v3/syntax.File", // 🟢 AST root node for a parsed shell script; pure type. + "mvdan.cc/sh/v3/syntax.ForClause", // 🟢 AST node for for loop; pure type. + "mvdan.cc/sh/v3/syntax.FuncDecl", // 🟢 AST node for function declaration; pure type. + "mvdan.cc/sh/v3/syntax.Hdoc", // 🟢 here-doc operator constant (<<); pure constant. + "mvdan.cc/sh/v3/syntax.IfClause", // 🟢 AST node for if statement; pure type. + "mvdan.cc/sh/v3/syntax.LetClause", // 🟢 AST node for let command; pure type. + "mvdan.cc/sh/v3/syntax.Lit", // 🟢 AST node for literal string; pure type. + "mvdan.cc/sh/v3/syntax.Node", // 🟢 AST interface for all nodes; pure interface. + "mvdan.cc/sh/v3/syntax.OrStmt", // 🟢 AST node for || operator; pure type. + "mvdan.cc/sh/v3/syntax.ParamExp", // 🟢 AST node for ${} parameter expansion; pure type. + "mvdan.cc/sh/v3/syntax.Pipe", // 🟢 AST node for pipeline; pure type. + "mvdan.cc/sh/v3/syntax.PipeAll", // 🟢 redirect operator constant (|&); pure constant. + "mvdan.cc/sh/v3/syntax.Pos", // 🟢 source position type; pure type. + "mvdan.cc/sh/v3/syntax.ProcSubst", // 🟢 AST node for process substitution; pure type. + "mvdan.cc/sh/v3/syntax.RdrAll", // 🟢 redirect operator constant (&>); pure constant. + "mvdan.cc/sh/v3/syntax.RdrIn", // 🟢 redirect operator constant (<); pure constant. + "mvdan.cc/sh/v3/syntax.RdrInOut", // 🟢 redirect operator constant (<>); pure constant. + "mvdan.cc/sh/v3/syntax.RdrOut", // 🟢 redirect operator constant (>); pure constant. + "mvdan.cc/sh/v3/syntax.Redirect", // 🟢 AST node for I/O redirection; pure type. + "mvdan.cc/sh/v3/syntax.SglQuoted", // 🟢 AST node for single-quoted string; pure type. + "mvdan.cc/sh/v3/syntax.Stmt", // 🟢 AST node for a complete statement; pure type. + "mvdan.cc/sh/v3/syntax.Subshell", // 🟢 AST node for ( ) subshell; pure type. + "mvdan.cc/sh/v3/syntax.TestClause", // 🟢 AST node for [[ ]] test command; pure type. + "mvdan.cc/sh/v3/syntax.TestDecl", // 🟢 AST node for test declaration; pure type. + "mvdan.cc/sh/v3/syntax.TimeClause", // 🟢 AST node for time command; pure type. + "mvdan.cc/sh/v3/syntax.Walk", // 🟢 traverses the AST; pure function, no I/O. + "mvdan.cc/sh/v3/syntax.WhileClause", // 🟢 AST node for while/until loop; pure type. + "mvdan.cc/sh/v3/syntax.Word", // 🟢 AST node for a shell word; pure type. + "mvdan.cc/sh/v3/syntax.WordHdoc", // 🟢 redirect operator constant (<<<); pure constant. + "mvdan.cc/sh/v3/syntax.WordIter", // 🟢 AST node for word iteration (for-in); pure type. + "mvdan.cc/sh/v3/syntax.WordPart", // 🟢 AST interface for word components; pure interface. }