ExampleNewPlugin_wrapper registers a Wrap that short-circuits any write-class command. The framework converts the returned *AbortError into a structured "hook" envelope; observers still fire on the After stage so audit sees the attempt.
()
| 29 | // *AbortError into a structured "hook" envelope; observers still |
| 30 | // fire on the After stage so audit sees the attempt. |
| 31 | func ExampleNewPlugin_wrapper() { |
| 32 | p, _ := platform.NewPlugin("policy-plugin", "0.1.0"). |
| 33 | Wrap("block-writes", platform.ByWrite(), |
| 34 | func(next platform.Handler) platform.Handler { |
| 35 | return func(ctx context.Context, inv platform.Invocation) error { |
| 36 | return &platform.AbortError{ |
| 37 | HookName: "block-writes", |
| 38 | Reason: "writes are disabled for this session", |
| 39 | } |
| 40 | } |
| 41 | }). |
| 42 | FailOpen(). |
| 43 | Build() |
| 44 | fmt.Println(p.Capabilities().FailurePolicy == platform.FailOpen) |
| 45 | // Output: true |
| 46 | } |
| 47 | |
| 48 | // ExampleNewPlugin_restrict registers a policy plugin that allows |
| 49 | // only docs/* read commands. Note that Restrict() implicitly sets |