1.8 KiB
Monty External Functions (Allowlist Example)
Monty supports host interaction only through explicit external functions provided by the embedding application.
In ThreeGate, adding external functions is a security boundary change.
This document provides a minimal, safe example set suitable for review.
Design Rules (Non-Negotiable)
External functions must be:
- Pure (no side effects)
- Deterministic
- Resource bounded
- Non-reflective (no introspection)
- Non-I/O (no files, no network, no env)
If a function violates any of these, it does not belong in Monty.
Recommended Initial Allowlist
Cryptographic Hashing
def sha256_hex(s: str) -> str:
import hashlib
return hashlib.sha256(s.encode("utf-8")).hexdigest()
Use cases:
- Deduplication
- Content fingerprinting
- Integrity checks
Regex Utilities
def regex_findall(pattern: str, text: str) -> list[str]:
import re
return re.findall(pattern, text)
Use cases:
- Structured extraction
- Validation
- Parsing bounded text
JSON Utilities
def json_loads(s: str):
import json
return json.loads(s)
def json_dumps(obj) -> str:
import json
return json.dumps(obj, sort_keys=True)
Use cases:
- Deterministic serialization
- Schema normalization
Explicitly Forbidden Examples
🚫 File access (open, pathlib)
🚫 Time access (time.time, datetime.now)
🚫 Randomness
🚫 Network
🚫 Subprocess
🚫 Environment access
Policy Statement
Any addition, removal, or modification of Monty external functions must be reviewed as a capability escalation and documented in
policy/tool-exec.policy.md.
Summary
Monty is safest when it behaves like a pure function evaluator.
If you need I/O, persistence, or non-determinism: → escalate to ERA instead.