Skip to main content

Documentation Index

Fetch the complete documentation index at: https://nono.sh/docs/llms.txt

Use this file to discover all available pages before exploring further.

The repository includes runnable examples for the most common nono-ts workflows. These files in examples/ are the source of truth. Keep docs snippets aligned to them.

Run from repository root

npm run build:debug
npm run examples:list
npm run example:all
Run a single scenario: 
npm run example:js:03-query-policy
npm run example:ts:03-query-policy
TypeScript scripts use Node’s --experimental-strip-types and are best run on Node 22+.

Scenarios

ScenarioJavaScriptTypeScriptPurpose
01-support-checkexamples/js/01-support-check.jsexamples/ts/01-support-check.tsDetect and print platform support
02-build-capabilitiesexamples/js/02-build-capabilities.jsexamples/ts/02-build-capabilities.tsBuild capability sets and inspect grants
03-query-policyexamples/js/03-query-policy.jsexamples/ts/03-query-policy.tsDry-run allow/deny decisions with QueryContext
04-state-roundtripexamples/js/04-state-roundtrip.jsexamples/ts/04-state-roundtrip.tsSerialize and restore policy state
05-safe-apply-patternexamples/js/05-safe-apply-pattern.jsexamples/ts/05-safe-apply-pattern.tsGuarded irreversible apply() flow
06-minimal-safe-cliexamples/js/06-minimal-safe-cli.jsexamples/ts/06-minimal-safe-cli.tsSmall wrapper pattern for sandbox + transform
07-agent-workspace-patternexamples/js/07-agent-workspace-pattern.jsexamples/ts/07-agent-workspace-pattern.tsAgent-like input/output least-privilege pattern
08-failure-diagnosticsexamples/js/08-failure-diagnostics.jsexamples/ts/08-failure-diagnostics.tsPreflight + runtime denial diagnostics
09-config-roundtripexamples/js/09-config-roundtrip.jsexamples/ts/09-config-roundtrip.tsConfig-driven capability build and state parity
10-subprocess-inheritanceexamples/js/10-subprocess-inheritance.jsexamples/ts/10-subprocess-inheritance.tsOpt-in apply() + child-process inheritance check

Safety

apply(caps) is irreversible for the lifetime of the process.
05-safe-apply-pattern only applies the sandbox when NONO_APPLY=1 is set. 
NONO_APPLY=1 npm run example:js:05-safe-apply-pattern
NONO_APPLY=1 npm run example:ts:05-safe-apply-pattern
NONO_APPLY=1 npm run example:js:10-subprocess-inheritance
NONO_APPLY=1 npm run example:ts:10-subprocess-inheritance
10-subprocess-inheritance reports denied reads as:
  • BLOCKED for EACCES/EPERM (expected secure behavior)
  • MISSING for ENOENT (target file absent on host)
  • ALLOWED when access unexpectedly succeeds

End-to-End Demonstrator

Use the dedicated demonstrator for a full workflow: 
npm run demo:dry-run
npm run demo
npm run demo:attack-test
See Demonstrator for details.