Side-effect wrappers
What you'll find here
The MVP wrappers that pass shell, file, memory, and GitHub side effects through policy, grant, redaction, and receipt boundaries — plus the testing seam that keeps everything deterministic.
Callbacks for execution, receipts for outcomes.
Shell and GitHub wrappers accept callbacks for the actual execution boundary, which keeps tests deterministic and prevents ambient side effects. Denials persist receipts; allowed actions persist environment receipts.
Coverage
craik.runtime.side_effects provides MVP wrappers for:
Shell command references
Repository file writes
Durable memory or Stigmem fact writes
Guarded GitHub write operations
Files
Immutable paths require approval.
File writes use check_file_write_grant and
DocsProfile immutable path rules. Immutable paths require
approval metadata and a matching repo.write.immutable
grant. Written content is redacted before persistence.
Memory
Memory writes use memory.write grants and a durable writer
interface. Public metadata records entity, relation, scope, and
confidence only — raw credentials or secret material must not appear
in receipts.
GitHub
GitHub writes use github.write grants with explicit operations such
as create_pr. The wrapper records the operation and redacted result
metadata.