ExampleNewPlugin_restrict registers a policy plugin that allows only docs/* read commands. Note that Restrict() implicitly sets FailClosed — a policy plugin must abort the binary if it fails to install, not silently disappear.
()
| 50 | // FailClosed — a policy plugin must abort the binary if it fails to |
| 51 | // install, not silently disappear. |
| 52 | func ExampleNewPlugin_restrict() { |
| 53 | p, _ := platform.NewPlugin("readonly-docs", "0.1.0"). |
| 54 | Restrict(&platform.Rule{ |
| 55 | Name: "docs-only", |
| 56 | Allow: []string{"docs/**"}, |
| 57 | MaxRisk: platform.RiskRead, |
| 58 | }). |
| 59 | Build() |
| 60 | caps := p.Capabilities() |
| 61 | fmt.Println(caps.Restricts, caps.FailurePolicy == platform.FailClosed) |
| 62 | // Output: true true |
| 63 | } |
nothing calls this directly
no test coverage detected