nono 0.65.1

Capability-based sandboxing library using Landlock (Linux) and Seatbelt (macOS)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252

//! Supervisor IPC types for capability expansion
//!
//! These types define the protocol between a sandboxed child process and its
//! unsandboxed supervisor parent. The child sends [`CapabilityRequest`]s over
//! a Unix socket, and the supervisor responds with [`ApprovalDecision`]s.
//!
//! [`ApprovalRequest`] is the generalised form consumed by [`crate::supervisor::ApprovalBackend`].
//! It covers file capability, network, and Tool Sandbox  command-launch requests.

use crate::capability::AccessMode;
use serde::{Deserialize, Serialize};
use std::path::PathBuf;
use std::time::SystemTime;

/// A request from the sandboxed child for additional filesystem access.
///
/// This is the IPC wire type sent over the supervisor Unix socket. The
/// supervisor converts it to [`ApprovalRequest::Capability`] before calling
/// the approval backend.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CapabilityRequest {
    /// Unique identifier for this request (for replay protection and audit)
    pub request_id: String,
    /// The filesystem path being requested
    pub path: PathBuf,
    /// The access mode requested (read, write, or read+write)
    pub access: AccessMode,
    /// Human-readable reason for the request (provided by the agent)
    pub reason: Option<String>,
    /// PID of the requesting child process
    pub child_pid: u32,
    /// Session identifier for correlating requests within a single run
    pub session_id: String,
}

/// A generalised approval request covering all request types handled by
/// [`crate::supervisor::ApprovalBackend`].
///
/// The supervisor IPC wire type [`CapabilityRequest`] maps to the
/// [`ApprovalRequest::Capability`] variant. Tool Sandbox  command launch uses the
/// [`ApprovalRequest::Command`] variant, built directly in the Tool Sandbox  shim
/// handler without going over the IPC socket.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "capability_type", rename_all = "snake_case")]
pub enum ApprovalRequest {
    /// A filesystem capability expansion request (from `nono grant` IPC).
    Capability {
        /// Unique identifier for this request (for replay protection and audit)
        request_id: String,
        /// The filesystem path being requested
        path: PathBuf,
        /// The access mode requested (read, write, or read+write)
        access: AccessMode,
        /// Human-readable reason for the request (provided by the agent)
        reason: Option<String>,
        /// PID of the requesting child process
        child_pid: u32,
        /// Session identifier for correlating requests within a single run
        session_id: String,
    },
    /// A network-level capability approval request.
    Network {
        /// Unique identifier for this request
        request_id: String,
        /// The hostname or IP being connected to
        host: String,
        /// The TCP/UDP port being connected to
        port: u16,
        /// Protocol: `"tcp"` or `"udp"`
        protocol: String,
        /// Resolved IP addresses for the host (may be empty)
        resolved_ips: Vec<String>,
        /// Human-readable reason for the request
        reason: Option<String>,
        /// PID of the requesting child process
        child_pid: u32,
        /// Session identifier
        session_id: String,
    },
    /// An L7 endpoint approval request from the network proxy.
    Endpoint {
        /// Unique identifier for this request
        request_id: String,
        /// Stable configured route identifier, e.g. `"github-api"`
        route_id: String,
        /// Upstream URL for the route, without credentials
        upstream: String,
        /// HTTP method being requested
        method: String,
        /// Request path being requested
        path: String,
        /// The endpoint policy rule/default that triggered approval
        rule_label: String,
        /// Human-readable reason
        reason: Option<String>,
        /// PID of the requesting child process, if known
        child_pid: u32,
        /// Session identifier
        session_id: String,
    },
    /// An Tool Sandbox  command-launch approval request (from the `Approve` intercept action).
    Command {
        /// Unique identifier for this request
        request_id: String,
        /// The command name (e.g. `"git"`)
        command: String,
        /// Full argument list including argv[0]
        args: Vec<String>,
        /// Tool Sandbox  caller identity (e.g. `"session"` or a chained command name)
        caller: String,
        /// The intercept rule pattern that triggered this approval
        intercept_rule: String,
        /// Human-readable reason (may be empty)
        reason: Option<String>,
        /// PID of the shim process that sent the request
        child_pid: u32,
        /// Session identifier
        session_id: String,
    },
}

impl ApprovalRequest {
    /// The request_id for this request (all variants carry one).
    #[must_use]
    pub fn request_id(&self) -> &str {
        match self {
            ApprovalRequest::Capability { request_id, .. }
            | ApprovalRequest::Network { request_id, .. }
            | ApprovalRequest::Endpoint { request_id, .. }
            | ApprovalRequest::Command { request_id, .. } => request_id,
        }
    }

    /// The session_id for this request (all variants carry one).
    #[must_use]
    pub fn session_id(&self) -> &str {
        match self {
            ApprovalRequest::Capability { session_id, .. }
            | ApprovalRequest::Network { session_id, .. }
            | ApprovalRequest::Endpoint { session_id, .. }
            | ApprovalRequest::Command { session_id, .. } => session_id,
        }
    }
}

impl From<CapabilityRequest> for ApprovalRequest {
    fn from(r: CapabilityRequest) -> Self {
        ApprovalRequest::Capability {
            request_id: r.request_id,
            path: r.path,
            access: r.access,
            reason: r.reason,
            child_pid: r.child_pid,
            session_id: r.session_id,
        }
    }
}

/// The supervisor's response to a [`CapabilityRequest`].
#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum ApprovalDecision {
    /// Access was granted. The supervisor will pass an fd via `SCM_RIGHTS`.
    Granted,
    /// Access was denied with a reason.
    Denied {
        /// Why the request was denied
        reason: String,
    },
    /// The approval request timed out without a decision.
    Timeout,
}

impl ApprovalDecision {
    /// Returns true if access was granted.
    #[must_use]
    pub fn is_granted(&self) -> bool {
        matches!(self, ApprovalDecision::Granted)
    }

    /// Returns true if access was denied.
    #[must_use]
    pub fn is_denied(&self) -> bool {
        matches!(self, ApprovalDecision::Denied { .. })
    }
}

/// A structured audit record for every approval decision.
///
/// Every capability request produces an audit entry regardless of outcome.
/// These entries support fleet-level monitoring and compliance reporting.
/// The `request` field covers all request types via [`ApprovalRequest`].
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEntry {
    /// When the decision was made
    pub timestamp: SystemTime,
    /// The original request (file, network, or command)
    pub request: ApprovalRequest,
    /// The decision that was reached
    pub decision: ApprovalDecision,
    /// Which approval backend handled the request
    pub backend: String,
    /// How long the decision took (milliseconds)
    pub duration_ms: u64,
}

/// A request from the sandboxed child to open a URL in the user's browser.
///
/// Sent over the supervisor Unix socket when the child needs to launch a
/// browser (e.g., for OAuth2 login). The unsandboxed supervisor validates
/// the URL against the profile's allowed origins and opens it outside the
/// sandbox, where the browser can access its own config files freely.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct UrlOpenRequest {
    /// Unique identifier for this request (for replay protection and audit)
    pub request_id: String,
    /// The URL to open in the user's browser
    pub url: String,
    /// PID of the requesting child process
    pub child_pid: u32,
    /// Session identifier for correlating requests within a single run
    pub session_id: String,
}

/// IPC message envelope sent from child to supervisor.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum SupervisorMessage {
    /// A capability expansion request (explicit, from SDK clients)
    Request(CapabilityRequest),
    /// A request to open a URL in the user's browser (e.g., OAuth2 login)
    OpenUrl(UrlOpenRequest),
}

/// IPC message envelope sent from supervisor to child.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum SupervisorResponse {
    /// Response to a capability request
    Decision {
        /// The request_id this responds to
        request_id: String,
        /// The approval decision
        decision: ApprovalDecision,
    },
    /// Response to a URL open request
    UrlOpened {
        /// The request_id this responds to
        request_id: String,
        /// Whether the URL was opened successfully
        success: bool,
        /// Error message if the open failed
        error: Option<String>,
    },
}