Documentation Index
Fetch the complete documentation index at: https://nono.sh/docs/llms.txt
Use this file to discover all available pages before exploring further.
This page documents all TypeScript types exported by the nono SDK.
AccessMode
Enum representing the level of filesystem access to grant.
enum AccessMode {
Read = 0,
Write = 1,
ReadWrite = 2,
}
Values
| Value | Description |
|---|
Read | Read-only access to files and directories |
Write | Write-only access (create, modify, delete) |
ReadWrite | Full read and write access |
Usage
import { CapabilitySet, AccessMode } from 'nono-ts';
const caps = new CapabilitySet();
// Read-only access
caps.allowPath('/etc', AccessMode.Read);
// Write-only access
caps.allowPath('/var/log', AccessMode.Write);
// Full access
caps.allowPath('/tmp', AccessMode.ReadWrite);
FsCapabilityInfo
Information about a filesystem capability.
interface FsCapabilityInfo {
original: string;
resolved: string;
access: string;
isFile: boolean;
source: string;
}
Properties
The path as originally specified when adding the capability.
The canonicalized absolute path after symlink resolution.
Access level string: "read", "write", or "read+write".
true if this is a single-file capability, false for directories.
How the capability was added (e.g., "api", "config").
Example
import { CapabilitySet, AccessMode } from 'nono-ts';
const caps = new CapabilitySet();
caps.allowPath('/tmp', AccessMode.ReadWrite);
caps.allowFile('/etc/hosts', AccessMode.Read);
const capabilities = caps.fsCapabilities();
for (const cap of capabilities) {
console.log(`Path: ${cap.original}`);
console.log(` Resolved: ${cap.resolved}`);
console.log(` Access: ${cap.access}`);
console.log(` Is File: ${cap.isFile}`);
console.log(` Source: ${cap.source}`);
}
SupportInfoResult
Information about sandbox support on the current platform.
interface SupportInfoResult {
isSupported: boolean;
platform: string;
details: string;
}
Properties
Whether sandboxing is available on this platform.
Platform identifier. One of:
"linux" — Linux with Landlock support"macos" — macOS with Seatbelt support"unsupported" — Platform not supported
Human-readable description of the sandbox backend, version, and any limitations.
Example
import { supportInfo } from 'nono-ts';
const info = supportInfo();
switch (info.platform) {
case 'linux':
console.log('Using Landlock sandbox');
break;
case 'macos':
console.log('Using Seatbelt sandbox');
break;
default:
console.log('No sandbox available');
}
QueryResultInfo
Result of a permission query.
interface QueryResultInfo {
status: string;
reason: string;
grantedPath?: string;
access?: string;
granted?: string;
requested?: string;
}
Properties
Result status: "allowed" or "denied".
Reason for the result:Allowed reasons:
"granted_path" — A filesystem capability grants access"network_allowed" — Network access is not blocked
Denied reasons:
"path_not_granted" — No capability covers the path"insufficient_access" — Path covered but with lower access level"network_blocked" — Network has been blocked
For granted_path results, the path of the granting capability.
For granted_path results, the access level granted.
For insufficient_access results, the access level that was granted.
For insufficient_access results, the access level that was requested.
Example
import { CapabilitySet, QueryContext, AccessMode } from 'nono-ts';
const caps = new CapabilitySet();
caps.allowPath('/data', AccessMode.Read);
const query = new QueryContext(caps);
const result = query.queryPath('/data/file.txt', AccessMode.Write);
if (result.status === 'denied') {
if (result.reason === 'insufficient_access') {
console.log(`Have ${result.granted}, need ${result.requested}`);
} else if (result.reason === 'path_not_granted') {
console.log('Path is not covered by any capability');
}
}
Complete Type Definitions
For reference, here are all the type definitions in a single block:
// Enums
export const enum AccessMode {
Read = 0,
Write = 1,
ReadWrite = 2,
}
// Interfaces
export interface FsCapabilityInfo {
original: string;
resolved: string;
access: string;
isFile: boolean;
source: string;
}
export interface SupportInfoResult {
isSupported: boolean;
platform: string;
details: string;
}
export interface QueryResultInfo {
status: string;
reason: string;
grantedPath?: string;
access?: string;
granted?: string;
requested?: string;
}
// Classes
export class CapabilitySet {
constructor();
allowPath(path: string, mode: AccessMode): void;
allowFile(path: string, mode: AccessMode): void;
blockNetwork(): void;
allowCommand(cmd: string): void;
blockCommand(cmd: string): void;
platformRule(rule: string): void;
deduplicate(): void;
pathCovered(path: string): boolean;
fsCapabilities(): FsCapabilityInfo[];
get isNetworkBlocked(): boolean;
summary(): string;
}
export class SandboxState {
static fromCaps(caps: CapabilitySet): SandboxState;
static fromJson(json: string): SandboxState;
toJson(): string;
toCaps(): CapabilitySet;
get netBlocked(): boolean;
}
export class QueryContext {
constructor(caps: CapabilitySet);
queryPath(path: string, mode: AccessMode): QueryResultInfo;
queryNetwork(): QueryResultInfo;
}
// Functions
export function apply(caps: CapabilitySet): void;
export function isSupported(): boolean;
export function supportInfo(): SupportInfoResult;
