Add module allow deny policy hooks

Author: mgomes

ROADMAP.md

@@ -259,7 +259,7 @@ Goal: make multi-file script projects easier to compose and maintain.
 
 - [x] Tighten module root boundary checks and path normalization.
 - [x] Add test coverage for path traversal attempts.
-- [ ] Add explicit policy hooks for module allow/deny lists.
+- [x] Add explicit policy hooks for module allow/deny lists.
 
 ### Developer UX
 

docs/integration.md

@@ -74,6 +74,9 @@ The interpreter searches each configured directory for `<module>.vibe` in order
 and caches compiled modules so subsequent calls to `require` are inexpensive.
 For long-running hosts, call `engine.ClearModuleCache()` between runs when
 module sources can change.
+Use `Config.ModuleAllowList` / `Config.ModuleDenyList` for policy hooks over
+which modules may be loaded (`*` glob patterns against normalized module names,
+with deny-list rules taking precedence).
 When a circular module dependency is detected, the runtime reports a concise
 chain (for example `a -> b -> a`).
 Use the optional `as:` keyword to bind the loaded module object to a global

vibes/interpreter.go

@@ -17,6 +17,8 @@ type Config struct {
 	StrictEffects    bool
 	RecursionLimit   int
 	ModulePaths      []string
+	ModuleAllowList  []string
+	ModuleDenyList   []string
 	MaxCachedModules int
 }
 
@@ -47,6 +49,12 @@ func NewEngine(cfg Config) (*Engine, error) {
 	if err := validateModulePaths(cfg.ModulePaths); err != nil {
 		return nil, err
 	}
+	if err := validateModulePolicyPatterns(cfg.ModuleAllowList, "allow"); err != nil {
+		return nil, err
+	}
+	if err := validateModulePolicyPatterns(cfg.ModuleDenyList, "deny"); err != nil {
+		return nil, err
+	}
 
 	engine := &Engine{
 		config:   cfg,

vibes/modules.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/fs"
 	"os"
+	"path"
 	"path/filepath"
 	"reflect"
 	"slices"
@@ -26,6 +27,80 @@ type moduleRequest struct {
 
 const moduleKeySeparator = "::"
 
+func normalizeModulePolicyPattern(pattern string) string {
+	normalized := strings.TrimSpace(pattern)
+	normalized = strings.ReplaceAll(normalized, "\\", "/")
+	normalized = strings.TrimPrefix(normalized, "./")
+	normalized = strings.TrimSuffix(normalized, ".vibe")
+	normalized = path.Clean(normalized)
+	if normalized == "." {
+		return ""
+	}
+	return normalized
+}
+
+func normalizeModulePolicyModuleName(relative string) string {
+	normalized := filepath.ToSlash(filepath.Clean(relative))
+	normalized = strings.TrimPrefix(normalized, "./")
+	normalized = strings.TrimSuffix(normalized, ".vibe")
+	if normalized == "." {
+		return ""
+	}
+	return normalized
+}
+
+func validateModulePolicyPatterns(patterns []string, label string) error {
+	for _, raw := range patterns {
+		pattern := normalizeModulePolicyPattern(raw)
+		if pattern == "" {
+			return fmt.Errorf("vibes: module %s-list pattern cannot be empty", label)
+		}
+		if _, err := path.Match(pattern, "probe"); err != nil {
+			return fmt.Errorf("vibes: invalid module %s-list pattern %q: %w", label, raw, err)
+		}
+	}
+	return nil
+}
+
+func modulePolicyMatch(pattern string, module string) bool {
+	matched, err := path.Match(pattern, module)
+	if err != nil {
+		return false
+	}
+	return matched
+}
+
+func (e *Engine) enforceModulePolicy(relative string) error {
+	module := normalizeModulePolicyModuleName(relative)
+	if module == "" {
+		return nil
+	}
+
+	for _, raw := range e.config.ModuleDenyList {
+		pattern := normalizeModulePolicyPattern(raw)
+		if pattern == "" {
+			continue
+		}
+		if modulePolicyMatch(pattern, module) {
+			return fmt.Errorf("require: module %q denied by policy", module)
+		}
+	}
+
+	if len(e.config.ModuleAllowList) == 0 {
+		return nil
+	}
+	for _, raw := range e.config.ModuleAllowList {
+		pattern := normalizeModulePolicyPattern(raw)
+		if pattern == "" {
+			continue
+		}
+		if modulePolicyMatch(pattern, module) {
+			return nil
+		}
+	}
+	return fmt.Errorf("require: module %q not allowed by policy", module)
+}
+
 func parseModuleRequest(name string) (moduleRequest, error) {
 	trimmed := strings.TrimSpace(name)
 	if trimmed == "" {
@@ -271,6 +346,10 @@ func (e *Engine) loadSearchPathModule(request moduleRequest) (moduleEntry, error
 }
 
 func (e *Engine) compileAndCacheModule(key, root, relative, fullPath string, content []byte) (moduleEntry, error) {
+	if err := e.enforceModulePolicy(relative); err != nil {
+		return moduleEntry{}, err
+	}
+
 	script, err := e.Compile(string(content))
 	if err != nil {
 		return moduleEntry{}, fmt.Errorf("require: compiling %s failed: %w", fullPath, err)

vibes/modules_test.go

@@ -947,6 +947,71 @@ end`)
 	}
 }
 
+func TestRequireModuleAllowList(t *testing.T) {
+	engine := MustNewEngine(Config{
+		ModulePaths:     []string{filepath.Join("testdata", "modules")},
+		ModuleAllowList: []string{"shared/*"},
+	})
+
+	script, err := engine.Compile(`def run_allowed(value)
+  mod = require("shared/math")
+  mod.double(value)
+end
+
+def run_denied(value)
+  mod = require("helper")
+  mod.double(value)
+end`)
+	if err != nil {
+		t.Fatalf("compile failed: %v", err)
+	}
+
+	allowed, err := script.Call(context.Background(), "run_allowed", []Value{NewInt(3)}, CallOptions{})
+	if err != nil {
+		t.Fatalf("allowed call failed: %v", err)
+	}
+	if allowed.Kind() != KindInt || allowed.Int() != 6 {
+		t.Fatalf("expected allowed result 6, got %#v", allowed)
+	}
+
+	if _, err := script.Call(context.Background(), "run_denied", []Value{NewInt(3)}, CallOptions{}); err == nil {
+		t.Fatalf("expected denied module error")
+	} else if !strings.Contains(err.Error(), `require: module "helper" not allowed by policy`) {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestRequireModuleDenyListOverridesAllowList(t *testing.T) {
+	engine := MustNewEngine(Config{
+		ModulePaths:     []string{filepath.Join("testdata", "modules")},
+		ModuleAllowList: []string{"*"},
+		ModuleDenyList:  []string{"helper"},
+	})
+
+	script, err := engine.Compile(`def run()
+  require("helper")
+end`)
+	if err != nil {
+		t.Fatalf("compile failed: %v", err)
+	}
+
+	if _, err := script.Call(context.Background(), "run", nil, CallOptions{}); err == nil {
+		t.Fatalf("expected deny-list error")
+	} else if !strings.Contains(err.Error(), `require: module "helper" denied by policy`) {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestModulePolicyPatternValidation(t *testing.T) {
+	_, err := NewEngine(Config{
+		ModulePaths:     []string{filepath.Join("testdata", "modules")},
+		ModuleAllowList: []string{"[invalid"},
+	})
+	if err == nil || !strings.Contains(err.Error(), "invalid module allow-list pattern") {
+		t.Fatalf("expected invalid allow-list pattern error, got %v", err)
+	}
+}
+
 func TestFormatModuleCycleUsesConciseChain(t *testing.T) {
 	root := filepath.Join("tmp", "modules")
 	a := moduleCacheKey(root, filepath.Join("nested", "a.vibe"))