Creates a guardrail that inspects R code for calls to blocked functions.
Uses AST walking to detect direct calls and optionally indirect invocation
via do.call().
Usage
guard_code_analysis(
blocked_functions = default_blocked_functions(),
allow_namespaces = NULL,
detect_indirect = TRUE
)Arguments
- blocked_functions
Character vector of function names to block. Defaults to
default_blocked_functions(). Names can include namespace prefixes (e.g."processx::run").- allow_namespaces
Character vector of package prefixes to allow even if a function from that package appears in
blocked_functions. For example,allow_namespaces = "dplyr"would allowdplyr::filter.- detect_indirect
Logical(1). If
TRUE(default), also detect indirect calls viado.call("system", ...)where the first argument is a string literal matching a blocked function.
Examples
g <- guard_code_analysis()
run_guardrail(g, "x <- 1 + 2")
#> <guardrail_result> PASS
run_guardrail(g, "system('ls')")
#> <guardrail_result> FAIL
#> Reason: Blocked function(s) detected: system