demo/sandboxed-file-transformer/index.js
Run Commands
From the repository root:What It Demonstrates
- Least privilege
- Read-only access to an ephemeral temp input directory
- Read+write access to an ephemeral temp output directory
- Optional
--offlinenetwork blocking mode
- Preflight visibility
- Uses
QueryContextto print allowed/denied decisions before sandbox application
- Runtime enforcement
- With
NONO_APPLY=1, callsapply(caps)and performs only allowed transformations
- Security checks
- Optional attack mode tries forbidden reads and reports pass/fail outcomes
Safety Notes
apply(caps)is irreversible for the process lifetime.- The demo runs in a dedicated process via npm scripts to keep your shell session unaffected.
- The demo writes runtime files to the system temp directory, not the repository tree, and cleans them up by default.
- Set
NONO_DEMO_KEEP_TMP=1to keep temp artifacts for debugging. - Attack checks may be marked
INCONCLUSIVEwhen target files do not exist on the host.