feat(secure): add `:trust` command and vim.secure.trust() (#21107)

Introduce vim.secure.trust() to programmatically manage the trust
database. Use this function in a new :trust ex command which can
be used as a simple frontend.

Resolves: https://github.com/neovim/neovim/issues/21092
Co-authored-by: Gregory Anders <greg@gpanders.com>
Co-authored-by: ii14 <ii14@users.noreply.github.com>

5 files changed, 58 insertions, 0 deletions

diff --git a/runtime/doc/editing.txt b/runtime/doc/editing.txt
index 76c528ef3c..e379d9eeb1 100644
--- a/runtime/doc/editing.txt
+++ b/runtime/doc/editing.txt
@@ -1650,4 +1650,32 @@ There are three different types of searching:
    currently work with 'path' items that contain a URL or use the double star
    with depth limiter (/usr/**2) or upward search (;) notations.
 
+==============================================================================
+11. Trusted Files						*trust*
+
+Nvim has the ability to execute arbitrary code through the 'exrc' option. In
+order to prevent executing code from untrusted sources, Nvim has the concept of
+"trusted files". An untrusted file will not be executed without the user's
+consent, and a user can permanently mark a file as trusted or untrusted using
+the |:trust| command or the |vim.secure.read()| function.
+
+							*:trust* *E5570*
+:trust [++deny] [++remove] [{file}]
+
+			Manage files in the trust database. Without any options
+			or arguments, :trust adds the file associated with the
+			current buffer to the trust database, along with the
+			SHA256 hash of its contents.
+
+			[++deny] marks the file associated with the current
+			buffer (or {file}, if given) as denied; no prompts will
+			be displayed to the user and the file will never be
+			executed.
+
+			[++remove] removes the file associated with the current
+			buffer (or {file}, if given) from the trust database.
+			Future attempts to read the file in a secure setting
+			(i.e. with 'exrc' or |vim.secure.read()|) will prompt
+			the user if the file is trusted.
+
  vim:tw=78:ts=8:noet:ft=help:norl:
diff --git a/runtime/doc/index.txt b/runtime/doc/index.txt
index 376487ad1d..66353e05f3 100644
--- a/runtime/doc/index.txt
+++ b/runtime/doc/index.txt
@@ -1633,6 +1633,7 @@ tag		command		action ~
 |:topleft|	:to[pleft]	make split window appear at top or far left
 |:tprevious|	:tp[revious]	jump to previous matching tag
 |:trewind|	:tr[ewind]	jump to first matching tag
+|:trust|	:trust		add or remove file from trust database
 |:try|		:try		execute commands, abort on error or exception
 |:tselect|	:ts[elect]	list matching tags and select one
 |:tunmap|	:tunma[p]	like ":unmap" but for |Terminal-mode|
diff --git a/runtime/doc/lua.txt b/runtime/doc/lua.txt
index 005b6409d6..bcbbd69f11 100644
--- a/runtime/doc/lua.txt
+++ b/runtime/doc/lua.txt
@@ -2371,4 +2371,28 @@ read({path})                                               *vim.secure.read()*
         (string|nil) The contents of the given file if it exists and is
         trusted, or nil otherwise.
 
+    See also: ~
+        |:trust|
+
+trust({opts})                                             *vim.secure.trust()*
+    Manage the trust database.
+
+    The trust database is located at |$XDG_STATE_HOME|/nvim/trust.
+
+    Parameters: ~
+      • {opts}  (table)
+                • action (string): "allow" to add a file to the trust database
+                  and trust it, "deny" to add a file to the trust database and
+                  deny it, "remove" to remove file from the trust database
+                • path (string|nil): Path to a file to update. Mutually
+                  exclusive with {bufnr}. Cannot be used when {action} is
+                  "allow".
+                • bufnr (number|nil): Buffer number to update. Mutually
+                  exclusive with {path}.
+
+    Return: ~
+        (boolean, string) success, msg:
+        • true and full path of target file if operation was successful
+        • false and error message on failure
+
  vim:tw=78:ts=8:sw=4:sts=4:et:ft=help:norl:
diff --git a/runtime/doc/news.txt b/runtime/doc/news.txt
index 70643cf00c..b155bae5a4 100644
--- a/runtime/doc/news.txt
+++ b/runtime/doc/news.txt
@@ -39,6 +39,9 @@ NEW FEATURES                                                    *news-features*
 
 The following new APIs or features were added.
 
+• |vim.secure.trust()|, |:trust| allows the user to manage files in trust
+  database.
+
 • |vim.diagnostic.open_float()| (and therefore |vim.diagnostic.config()|) now
   accepts a `suffix` option which, by default, renders LSP error codes.
   Similarly, the `virtual_text` configuration in |vim.diagnostic.config()| now
diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
index 36eabfdcbf..33bade3545 100644
--- a/runtime/doc/options.txt
+++ b/runtime/doc/options.txt
@@ -2275,6 +2275,8 @@ A jump table for the options with a short description can be found at |Q_op|.
 	file are persisted to a trust database. The user is only prompted
 	again if the file contents change. See |vim.secure.read()|.
 
+	Use |:trust| to manage the trusted file database.
+
 	This option cannot be set from a |modeline| or in the |sandbox|, for
 	security reasons.