readFailurePolicy reads Capabilities and returns the policy, falling back to FailClosed if Capabilities() panics. Defensive default: we assume the worst-case (safety-sensitive) when we cannot read the declaration. **Implementation note**: FailClosed must be the value set BEFORE the panic-prone call
(p platform.Plugin)
| 242 | // flip the safe-default to FailOpen on panic -- the opposite of what |
| 243 | // the comment claims. |
| 244 | func readFailurePolicy(p platform.Plugin) (policy platform.FailurePolicy) { |
| 245 | policy = platform.FailClosed |
| 246 | defer func() { _ = recover() }() |
| 247 | policy = p.Capabilities().FailurePolicy |
| 248 | return |
| 249 | } |
| 250 | |
| 251 | // safeCallName recovers from a panic in Plugin.Name() and surfaces it |
| 252 | // as a typed PluginInstallError. Without recovery, a buggy plugin could |
no test coverage detected