Module template 

Template render entry point.

A template is per-user nomiscript source that pre-fills a transaction draft. compile_template validates source against the restricted render compiler surface (a template naming any non-allowlisted native is a compile error). render_template runs it under link_render — a linker that registers only the read-only financial natives and the draft natives, never the config/user/ssh secret surface — and returns the accumulated TransactionDraft.

Both gates (compiler whitelist + linker omission) are load-bearing for token security: Slice B keeps the per-user JWT private key in the same per-user DB the eval channel reads, so an escape here would let a template exfiltrate the signing key. The whitelist test suite (tests/) is treated as a security gate.

Enums

TemplateError

Functions

compile_template

Compiles source against the restricted render surface, returning the wasm bytes. A template that names a non-allowlisted native fails here with a TemplateError::Compile — this is the first half of the security gate (the compiler simply doesn’t know the dangerous natives exist).

render_template

Renders source for ctx’s user, returning the accumulated draft. Runs the program form-by-form under the render linker (read-only financial natives + draft natives only). The final value of each form is ignored; only the draft side effects matter.