Skip to content

execution-safety.md

Latest commit

 

History

History
82 lines (51 loc) · 3.43 KB

execution-safety.md

File metadata and controls

82 lines (51 loc) · 3.43 KB
title Execution Safety
sidebar_label Execution Safety
sidebar_position 4
description Stave's guarantees against dynamic code execution.

Execution Safety

Stave never executes user-supplied code. This document enumerates the guarantees.

AirGap Policy Source of Truth

All air-gapped runtime restrictions are centralized in one file:

This file defines:

  • Proxy environment variables blocked by --require-offline
  • Runtime-banned imports and explicit allowlisted exceptions
  • Credential environment variables that runtime code must never read

Both runtime checks and CI safety tests consume this policy so restrictions are traceable and drift-resistant.

No subprocess execution

The runtime stave binary does not import os/exec and never spawns child processes. All evaluation, extraction, and output generation happens in-process.

Terminal recording generation is owned by the sibling publisher workspace (../publisher/generate-recordings.sh) and is not part of the Stave runtime or release artifact.

No plugins

The plugin standard library package is not imported anywhere in the runtime codebase. Stave has no plugin loading mechanism.

Restricted template execution

html/template is banned in runtime code.

text/template is banned in runtime code. Custom output formatting uses a restricted renderer (internal/cli/ui/template.go) that supports only field access, range, and json — not the full text/template API. Enforcement artifacts (Terraform HCL, SCP JSON) are still generated by direct string formatting and struct marshaling.

No interpreters or embedded runtimes

Stave does not embed scripting engines, Lua, WASM runtimes, or any other code execution environment.

No reflection-based dispatch

Stave does not use reflect for dynamic dispatch or method invocation. Type assertions are used only for JSON value handling in predicate evaluation.

Controls are a closed DSL

Control files are data (YAML), not code. They are:

  • Schema-validated against ctrl.v1 before evaluation
  • Restricted to a fixed set of predicate operators (see Evaluation Semantics)
  • Combined only via any (OR) and all (AND) logic
  • Not extensible — no custom functions, no user-defined operators, no hooks

The operator set is defined in internal/core/predicate/operators.go and tested against drift.

Enforcement artifacts are templates, not executables

The enforce command generates remediation templates (Terraform HCL, AWS SCP JSON). Stave writes these files but never executes them. Users must review and apply artifacts through their own deployment pipeline.

Banned imports summary

The following packages are not imported by the runtime binary (cmd/stave):

Package Reason banned
os/exec No subprocess execution
plugin No plugin loading
text/template No template execution
html/template No template execution
unsafe No unsafe memory operations
net/http No network I/O
net/rpc No network I/O
crypto/tls No TLS connections

This is enforced by a CI test (TestNoBannedImportsInRuntime in internal/core/).

Schema identifiers use urn:stave:schema: (not HTTP URLs) to avoid false positives. This is enforced by TestNoHTTPSchemaIdentifiers.