Skip to main content
The repository includes end-to-end scenario scripts under tests/smoke/ in both JavaScript and TypeScript. These run as part of the test suite and also serve as readable usage documentation.

Run all scenarios

npm run build:debug
npm test

Run a single scenario

# JavaScript
node tests/smoke/js/03-query-policy.js

# TypeScript
node --experimental-strip-types tests/smoke/ts/03-query-policy.ts

Scenarios

ScenarioPurpose
01-support-checkDetect and print platform support
02-build-capabilitiesBuild capability sets and inspect grants
03-query-policyDry-run allow/deny decisions with QueryContext
04-state-roundtripSerialize and restore policy state
05-safe-apply-patternGuarded irreversible apply() flow
06-minimal-safe-cliSmall wrapper pattern for sandbox + transform
07-agent-workspace-patternAgent-like input/output least-privilege pattern
08-failure-diagnosticsPreflight + runtime denial diagnostics
09-config-roundtripConfig-driven capability build and state parity
10-subprocess-inheritanceOpt-in apply() + child-process inheritance check

Safety

apply(caps) is irreversible for the lifetime of the process. 05-safe-apply-pattern and 10-subprocess-inheritance only apply the sandbox when NONO_APPLY=1 is set. 
NONO_APPLY=1 node tests/smoke/js/05-safe-apply-pattern.js
NONO_APPLY=1 node tests/smoke/js/10-subprocess-inheritance.js
10-subprocess-inheritance reports denied reads as:
  • BLOCKED for EACCES/EPERM (expected secure behavior)
  • MISSING for ENOENT (target file absent on host)
  • ALLOWED when access unexpectedly succeeds

End-to-End Demonstrator

Use the dedicated demonstrator for a full workflow: 
npm run demo:dry-run
npm run demo
npm run demo:attack-test
See Demonstrator for details.