This page documents all TypeScript types exported by the nono SDK.
AccessMode
Enum representing the level of filesystem access to grant.
enum AccessMode {
Read = 0,
Write = 1,
ReadWrite = 2,
}
Values
| Value | Description |
|---|
Read | Read-only access to files and directories |
Write | Write-only access (create, modify, delete) |
ReadWrite | Full read and write access |
Usage
import { CapabilitySet, AccessMode } from 'nono-ts';
const caps = new CapabilitySet();
// Read-only access
caps.allowPath('/etc', AccessMode.Read);
// Write-only access
caps.allowPath('/var/log', AccessMode.Write);
// Full access
caps.allowPath('/tmp', AccessMode.ReadWrite);
FsCapabilityInfo
Information about a filesystem capability.
interface FsCapabilityInfo {
original: string;
resolved: string;
access: string;
isFile: boolean;
source: string;
}
Properties
The path as originally specified when adding the capability.
The canonicalized absolute path after symlink resolution.
Access level string: "read", "write", or "read+write".
true if this is a single-file capability, false for directories.
How the capability was added (e.g., "api", "config").
Example
import { CapabilitySet, AccessMode } from 'nono-ts';
const caps = new CapabilitySet();
caps.allowPath('/tmp', AccessMode.ReadWrite);
caps.allowFile('/etc/hosts', AccessMode.Read);
const capabilities = caps.fsCapabilities();
for (const cap of capabilities) {
console.log(`Path: ${cap.original}`);
console.log(` Resolved: ${cap.resolved}`);
console.log(` Access: ${cap.access}`);
console.log(` Is File: ${cap.isFile}`);
console.log(` Source: ${cap.source}`);
}
SupportInfoResult
Information about sandbox support on the current platform.
interface SupportInfoResult {
isSupported: boolean;
platform: string;
details: string;
}
Properties
Whether sandboxing is available on this platform.
Platform identifier. One of:
"linux" — Linux with Landlock support"macos" — macOS with Seatbelt support"unsupported" — Platform not supported
Human-readable description of the sandbox backend, version, and any limitations.
Example
import { supportInfo } from 'nono-ts';
const info = supportInfo();
switch (info.platform) {
case 'linux':
console.log('Using Landlock sandbox');
break;
case 'macos':
console.log('Using Seatbelt sandbox');
break;
default:
console.log('No sandbox available');
}
QueryResultInfo
Result of a permission query.
interface QueryResultInfo {
status: string;
reason: string;
grantedPath?: string;
access?: string;
granted?: string;
requested?: string;
}
Properties
Result status: "allowed" or "denied".
Reason for the result:Allowed reasons:
"granted_path" — A filesystem capability grants access"network_allowed" — Network access is not blocked
Denied reasons:
"path_not_granted" — No capability covers the path"insufficient_access" — Path covered but with lower access level"network_blocked" — Network has been blocked
For granted_path results, the path of the granting capability.
For granted_path results, the access level granted.
For insufficient_access results, the access level that was granted.
For insufficient_access results, the access level that was requested.
Example
import { CapabilitySet, QueryContext, AccessMode } from 'nono-ts';
const caps = new CapabilitySet();
caps.allowPath('/data', AccessMode.Read);
const query = new QueryContext(caps);
const result = query.queryPath('/data/file.txt', AccessMode.Write);
if (result.status === 'denied') {
if (result.reason === 'insufficient_access') {
console.log(`Have ${result.granted}, need ${result.requested}`);
} else if (result.reason === 'path_not_granted') {
console.log('Path is not covered by any capability');
}
}
Complete Type Definitions
For reference, here are all the type definitions in a single block:
// Enums
export const enum AccessMode {
Read = 0,
Write = 1,
ReadWrite = 2,
}
// Interfaces
export interface FsCapabilityInfo {
original: string;
resolved: string;
access: string;
isFile: boolean;
source: string;
}
export interface SupportInfoResult {
isSupported: boolean;
platform: string;
details: string;
}
export interface QueryResultInfo {
status: string;
reason: string;
grantedPath?: string;
access?: string;
granted?: string;
requested?: string;
}
// Classes
export class CapabilitySet {
constructor();
allowPath(path: string, mode: AccessMode): void;
allowFile(path: string, mode: AccessMode): void;
blockNetwork(): void;
allowCommand(cmd: string): void;
blockCommand(cmd: string): void;
platformRule(rule: string): void;
deduplicate(): void;
pathCovered(path: string): boolean;
fsCapabilities(): FsCapabilityInfo[];
get isNetworkBlocked(): boolean;
summary(): string;
}
export class SandboxState {
static fromCaps(caps: CapabilitySet): SandboxState;
static fromJson(json: string): SandboxState;
toJson(): string;
toCaps(): CapabilitySet;
get netBlocked(): boolean;
}
export class QueryContext {
constructor(caps: CapabilitySet);
queryPath(path: string, mode: AccessMode): QueryResultInfo;
queryNetwork(): QueryResultInfo;
}
// Functions
export function apply(caps: CapabilitySet): void;
export function isSupported(): boolean;
export function supportInfo(): SupportInfoResult;
