You can clone with
Currently, two tags determine how untrusted routines may access a program:
What seems to be missing (and necessary) is a tag that makes a program branch inaccessible by untrusted calls.
This would prevent untrusted routines from navigating to sensitive states, like myFlowGame.target('//user/score/add/', 1000000);. With the proper restrictions, such a call could only be invoked by the program itself - or a (sanctioned) nested Flow.
In this sense, "hiding" a state is a way to make them as private (but from whom). The affect would cascade to descendants, and each state should be allowed to unhide itself and it's branch.
When a Flow instance method is invoked, there are three levels of "trust" (the labels will likely change):
External calls are considered "untrusted". Depending on the level of access/control a method exposes, internal calls might also be considered "untrusted". Flow lets methods incorporate these trust levels in their logic, which equates to access and control of an instance.
In light of trust levels, which sould allow accessing a hidden state (besides internal)? Should external calls never have access, and internal calls be given access to them?
Splitting hairs here means either:
The Core package may introduce the _conceal tag, which would provide the following functionality:
I've abandoned the idea of setting levels of concealment.
Closes #32 - Added `_conceal` tag and unit tests (re #20)