Safety Layers — TOS (Terms of Safety)
Overview
Nitpick's safety model uses explicit layers. Each layer grants more power and less safety:
| Layer | Name | Access | Safety |
|---|---|---|---|
| 0 | Safe | Default Nitpick code | Full — Result |
| 1 | Controlled | sys() safe syscalls |
Curated syscall whitelist |
| 2 | Supervised | sys!!() all syscalls |
All syscalls, still returns Result |
| 3 | Raw | sys!!!(), wild, wildx |
No safety net — you own it |
TOS Safety Vocabulary
Explicit bypass keywords that escalate safety level:
| Keyword | Action | Layer |
|---|---|---|
raw / _! |
Extract value, ignore error | 1+ |
drop / _? |
Discard Result entirely | 1+ |
ok |
Pass potentially unknown value | 1+ |
?! |
Emphatic Result fallback unwrap | 0 |
wild |
Unmanaged memory allocation | 3 |
wildx |
Executable memory allocation | 3 |
sys!!!() |
Raw syscall | 3 |
Philosophy
Every safety bypass is visible in code. There are no hidden undefined behaviors.
When reading Nitpick code, the raw, wild, drop, sys!!! keywords immediately
identify where safety guarantees are intentionally relaxed.
Related
- control_flow/error_flow.md — error model overview
- result/ — canonical Result handling cookbook
- types/result.md — Result
safety - io_system/sys.md — syscall tiers