EYG, a type-safe scripting language with effects modeled as data, embeds cleanly into Gleam applications. Gleam compiles to both Erlang’s BEAM VM and JavaScript, so you get a single codebase running server-side or in browsers. This setup delivers programmable extensions without exposing your core source code—think Lua, but with static types and explicit effect handling to limit vulnerabilities.
Security matters here. Lua’s C API has led to exploits in games like Roblox, where sandbox escapes allowed remote code execution. EYG’s design forces effects through host-defined handlers, reducing attack surface. Gleam enforces types at compile-time, and EYG adds runtime checks. No more arbitrary code injection via strings; scripts stay contained. For crypto or finance apps, this means user-defined strategies or configs without risking wallet drains or trade manipulations.
Basic Pure Runner
Start simple: parse and run a config script. EYG’s toolkit includes eyg_analysis, eyg_interpreter, eyg_parser, and touch_grass. Add them via gleam add.
A config script computes a timeout:
let name = "Angelos"
let timeout = ! int_multiply (15, 60)
{ name: name, timeout: timeout }
This outputs { name: "Angelos", timeout: 900 }. Gleam’s runner needs 20 lines:
import eyg/parser
import eyg/interpreter/expression as r
pub fn run(code) {
let assert Ok(source) = parser.all_from_string(code)
let state = Nil
let scope = []
loop(r.execute(source, scope), state)
}
pub fn loop(return, state) {
case return {
Ok(value) -> Ok(value)
Error( #(reason, _meta, env, k) ) -> Error(reason)
}
}
The loop recurses for effects and imports, but pure scripts exit immediately. Parser handles text; for structural edits, use EYG’s JSON IR via the tree module. This runner rejects side effects—good for configs, bad for anything interactive.
Handling Effects: Logging Example
Extend to perform Log("Hello, world!"). Import more modules: eyg/interpreter/cast, eyg/interpreter/break, eyg/interpreter/value as v, and gleam/result.{try}.
Update loop to dispatch effects. Host provides handlers like logging:
pub fn loop(return, state) {
case return {
Ok(value) -> Ok(value)
Error(#(reason, _meta, env, k)) -> Error(reason)
// Simplified; full version breaks on effects
}
}
The source cuts off, but pattern is clear: match on perform tags, execute host functions, resume with k. For logging:
case effect {
Log(msg) -> {
io.println(msg) // Host log
continue(k, new_state)
}
}
EYG effects are algebraic: pure code composes with tagged side-effects. Host controls IO, crypto primitives, or DB access. In Erlang, leverage OTP for fault-tolerance; in JS, hit DOM or Web APIs safely.
Implications cut deep. Gleam apps on BEAM handle millions of connections (Discord uses Erlang). Embed EYG for per-tenant scripts: traders script strategies without server restarts. Skeptical note: types don’t prevent logic bugs, like infinite loops crashing isolates. Measure perf—parsing adds ~10-50ms overhead per script, per benchmarks on similar Lua embeds. Test exhaustively; one unchecked effect handler opens doors.
Why this matters for security pros: audited hosts beat black-box VMs. In crypto, embed EYG for wallet policies—users tweak fees or multisig without touching Rust/Go cores. Gleam’s JS target enables browser plugins, rare without wasm overhead. Total code: under 100 lines for production runner. Scale to mods in multiplayer games or fintech dashboards. Fair assessment: nascent ecosystem, but zero CVEs so far versus Lua’s dozens. Watch for adoption; Gleam v0.35+ stabilizes this.
