Glossary
Short, plain-language definitions of the core DotBoxD terms, each linking to the page that covers it in depth. If you landed mid-tree — say on Pushdown or Kernel runtime — look the unfamiliar words up here first, then follow the link for the full treatment.
Sandbox and kernels
- Kernel — Client/plugin-supplied logic the host runs safely under policy, as validated, capability-gated, fuel-metered IR — never C#, IL, or reflection.
- IR (intermediate representation) — The restricted, JSON-authored instruction format a kernel is expressed in; the host rejects anything outside the allowed shape before it runs.
- Lowering — Compile-time rewriting of authored C# (a
.Where/.Selectchain or a[ServerExtension]batch) into verified IR that runs server-side. - Host binding — A
[HostBinding]method the host explicitly exposes; the only way a kernel reaches outside pure computation, and only when the matching capability is granted. - Capability — A named grant (e.g.
file.read) the host policy must give before a kernel may use the matching effect; derived from the IR the kernel actually touches, and fail-closed. - Effect (
SandboxEffect) — The category of outside-world impact an operation has (Cpu,Alloc, file/network/host effects,Time,Random,Concurrency,Audit), controlled by the policy. - Fuel and metering (quota) — Fuel is an abstract instruction budget; metering charges every operation and enforces loop, call-depth, list-length, output, and per-capability quotas, stopping a kernel that runs over.
SandboxPolicy— The immutable hard budget every kernel run is bounded by: fuel, loop/depth/output limits, capability grants, and effect controls.- Manifest — The public artifact declaring a kernel's required capabilities (the union of what its IR touches); install fails closed if the host policy does not grant them.
- Trust boundary — The line that actually contains untrusted code: validated
kernel IR is one; loading a .NET assembly (
AssemblyLoadContext) is not.
Modes and authoring
- Pushdown — Collapsing many small remote calls into one validated server-side batch that loops the host's existing bindings next to its data.
- Server extension — A plugin's
[ServerExtension]batch aggregate, lowered to a sandboxed kernel and installed into a frozen host without recompiling it. - Hook / Subscription — The two event registries a plugin
attaches reactions to:
server.Hooksare awaited decision points whose logic can influence the outcome;server.Subscriptionsare fire-and-forget notifications. - Event-pipeline terminals (
RunLocal/Run/RegisterLocal/Register/Use) — The last call in an event pipeline, chosen on two axes: where your handler runs — in your plugin as native C# (RunLocal,RegisterLocal) or server-side as sandboxed IR (Run,Register) — and whether it returns a decision —Register/RegisterLocalhand anIHookResultback to the server, whileRun/RunLocalare fire-and-forget.Use<TKernel>installs a separately-authored kernel. Result terminals (Register/RegisterLocal) exist only onserver.Hooks(awaited decisions), never on fire-and-forgetserver.Subscriptions.
Services, RPC, and transport
- RPC — Remote procedure call: a discrete, typed request→response to a host capability behind a
shared C#
[DotBoxDService]contract. - Peer — An
RpcPeer/RpcHostendpoint; the runtime is peer-based and bidirectional, so one connection can both serve and call services. - Proxy / dispatcher — The generated client-side stub (proxy) that marshals a call over the wire and the server-side dispatcher that routes it to your implementation.
- IPC (inter-process communication) — Two OS processes (host and plugin/client) talking over a transport such as a named pipe or TCP.
- DTO (data transfer object) — A plain data type that crosses the wire; MessagePack DTOs are
annotated with
[MessagePackObject]and a stable[Key]per member — see Services.