ThreeGate/docs/monty_external_functions.md

# Monty External Functions (Allowlist Example)

Monty supports host interaction only through **explicit external functions**
provided by the embedding application.

In ThreeGate, adding external functions is a **security boundary change**.

This document provides a *minimal, safe* example set suitable for review.

---

## Design Rules (Non-Negotiable)

External functions must be:

- Pure (no side effects)
- Deterministic
- Resource bounded
- Non-reflective (no introspection)
- Non-I/O (no files, no network, no env)

If a function violates any of these, it does **not belong in Monty**.

---

## Recommended Initial Allowlist

### Cryptographic Hashing

```python
def sha256_hex(s: str) -> str:
    import hashlib
    return hashlib.sha256(s.encode("utf-8")).hexdigest()
````

Use cases:

* Deduplication
* Content fingerprinting
* Integrity checks

---

### Regex Utilities

```python
def regex_findall(pattern: str, text: str) -> list[str]:
    import re
    return re.findall(pattern, text)
```

Use cases:

* Structured extraction
* Validation
* Parsing bounded text

---

### JSON Utilities

```python
def json_loads(s: str):
    import json
    return json.loads(s)

def json_dumps(obj) -> str:
    import json
    return json.dumps(obj, sort_keys=True)
```

Use cases:

* Deterministic serialization
* Schema normalization

---

## Explicitly Forbidden Examples

🚫 File access (`open`, `pathlib`)
🚫 Time access (`time.time`, `datetime.now`)
🚫 Randomness
🚫 Network
🚫 Subprocess
🚫 Environment access

---

## Policy Statement

> Any addition, removal, or modification of Monty external functions must be
> reviewed as a **capability escalation** and documented in `policy/tool-exec.policy.md`.

---

## Summary

Monty is safest when it behaves like a **pure function evaluator**.

If you need I/O, persistence, or non-determinism:
→ escalate to ERA instead.