Expand description
Canonical host-fn registry for the 32 server commands.
Each domain owns a submodule that mirrors the server::command::* shape and
holds one file per server command. Commands register their host fn through a
per-domain register entry point; the top-level register_all aggregates
every domain so a wasmtime Linker gains the full
canonical surface in one call.
Subsequent commits fill each domain. This commit lays down the directory shape so per-command commits stay focused on one server command at a time.
Modules§
- account
- Account-domain natives. Wraps
server::command::{CreateAccount, ListAccounts, ListAccountsForManage, GetAccountForManage, SetAccountTag, GetAccount, GetAccountCommodities, GetBalance}as nomiscript-callable host fns. - catch_
each (catch-each items var body)host native — Tier 2’s iteration- bounded error recovery (ADR-0025).- commodity
- Commodity-domain natives. Wraps
server::command::{GetCommodity, CreateCommodity, ListCommodities}. - config
- Config-domain natives. Wraps
server::command::{GetConfig, GetVersion, GetBuildDate, SetConfig, SelectColumn}. - env_io
- Host output channel for the eval-mode module.
- meta
- Diagnostic / session-introspection natives.
- raise
- Script-raise host native: the boundary bridge for in-guest raises.
- report
- Report-domain natives. Wraps
server::command::{BalanceReport, ActivityReport, CategoryBreakdown}. - split
- Split-domain natives. Wraps
server::command::ListSplits. - ssh_key
- SSH-key-domain natives. Wraps
server::command::{ListSshKeys, RemoveSshKey, UserHasSshKey, LookupUserBySshKey}.AddSshKeyis deliberately NOT exposed: pubkey upload stays on the dedicated ssh-copy-idexecflow so the eval channel can never be used to register impersonation keys. - template
- Render-only draft natives.
- transaction
- Transaction-domain natives. Wraps
server::command::{CreateTransaction, ListTransactions, GetTransaction, UpdateTransaction, DeleteTransaction}. - user
- User-domain natives. Wraps
server::command::VerifyUserPasswordonly; account-creation/registration is reserved for the auth-flow path, not the eval channel.
Constants§
- RENDER_
NATIVE_ ALLOWLIST - The only non-draft natives a template may call: read-only financial lookups,
pure value conversion, and the session-user-id accessor. Every entry is
verified read-only — no mutator, no config/secret reader, no auth surface.
convert-commodityonly reads the prices table (verified: it issuesSELECT … prices …, never a write).
Functions§
- all_
compiler_ specs - all_
registered_ commands - link
- Aggregator: registers every domain’s host fns on
linkerin one call. Bound toSessionDatanow thatmetanatives consultScriptCtx(user_id) — generic-T register fns from the empty per-domain modules still satisfy this concrete type because they don’t touch the Store data. - link_
render - Links ONLY the render-safe host fns onto
linker: infra, the allowlisted read fns, and the draft natives. The dual gate is FULL here — a dangerous native is blocked at both levels. First, theconfig,user, andssh_keymodules are never registered at all (the secret/credential/auth surface has nothing to bind to). Second, the account/commodity/split/transaction mutators are excluded by linking each module’sregister_readonlyvariant, socreate-*/update-*/delete-*/set-*-tagimports are never bound either. So even a hypothetical compiler-spec leak finds no linked target.env.logis bound as a silent no-op (the import must resolve, but template output is discarded). - render_
compiler_ specs - Compiler specs the render surface exposes: the allowlisted subset of
all_compiler_specs. Filtering the single canonical registry (rather than hand-maintaining a parallel list) keeps the render surface in lock-step with the org source — a renamed native drops out automatically rather than silently mismatching the linker.