The nono Node.js SDK provides native bindings to the nono sandboxing library, enabling you to apply Landlock (Linux) or Seatbelt (macOS) restrictions from within your JavaScript or TypeScript applications.Documentation Index
Fetch the complete documentation index at: https://nono.sh/docs/llms.txt
Use this file to discover all available pages before exploring further.
Key Features
Capability-Based
Define exactly which filesystem paths and network access your application needs
OS-Enforced
Restrictions are enforced by the kernel, not userspace — they cannot be bypassed
Irreversible
Once applied, the sandbox cannot be weakened or removed for the lifetime of the process
Zero Dependencies
Native Rust code compiled to a single
.node binary with no runtime dependenciesPlatform Support
| Platform | Backend | Minimum Version |
|---|---|---|
| Linux | Landlock | Kernel 5.13+ |
| macOS | Seatbelt | macOS 10.5+ |
| Windows | — | Not supported |
Installation
Quick Example
Architecture
The SDK wraps the Rustnono crate using napi-rs, compiling to a native Node.js addon. This provides:
- Performance: Native Rust code with zero JavaScript overhead for sandbox operations
- Safety: Memory-safe Rust implementation with proper error handling
- Compatibility: Works with Node.js 18+ on supported platforms
API Overview
| Class/Function | Description |
|---|---|
Examples | Runnable JavaScript and TypeScript scenarios |
Demonstrator | End-to-end sandboxed file transformer workflow |
CapabilitySet | Build a set of filesystem and network capabilities |
QueryContext | Query whether operations would be permitted |
SandboxState | Serialize and deserialize sandbox state |
apply() | Apply the sandbox with given capabilities |
isSupported() | Check if sandboxing is available |
supportInfo() | Get detailed platform support information |