|
| 1 | +# Agent Guide: nono |
| 2 | + |
| 3 | +This repository contains the `nono` project, a capability-based sandboxing system for running untrusted AI agents. |
| 4 | +It is a Cargo workspace with three members: |
| 5 | +- `crates/nono` (core library): Pure sandbox primitive. |
| 6 | +- `crates/nono-cli` (CLI binary): Owns security policy, profiles, and UX. |
| 7 | +- `bindings/c` (C FFI): C bindings. |
| 8 | + |
| 9 | +## Build, Test, and Lint Commands |
| 10 | + |
| 11 | +### Primary Commands |
| 12 | +Use the `Makefile` for standard workflows: |
| 13 | + |
| 14 | +- **Build All**: `make build` |
| 15 | +- **Test All**: `make test` |
| 16 | +- **Lint & Format**: `make check` (runs clippy + fmt check) |
| 17 | +- **CI Simulation**: `make ci` (runs check + test) |
| 18 | + |
| 19 | +### Component-Specific Targets |
| 20 | +- **Library**: `make build-lib` / `make test-lib` |
| 21 | +- **CLI**: `make build-cli` / `make test-cli` |
| 22 | +- **FFI**: `make build-ffi` / `make test-ffi` |
| 23 | + |
| 24 | +### Running a Single Test |
| 25 | +To run a specific test case, use `cargo test` directly: |
| 26 | + |
| 27 | +```bash |
| 28 | +# Run a specific test in the library |
| 29 | +cargo test -p nono -- test_function_name |
| 30 | + |
| 31 | +# Run a specific test in the CLI |
| 32 | +cargo test -p nono-cli -- test_function_name |
| 33 | + |
| 34 | +# Run a test and show stdout (useful for debugging) |
| 35 | +cargo test -p nono -- test_function_name --nocapture |
| 36 | +``` |
| 37 | + |
| 38 | +## Code Style & Standards |
| 39 | + |
| 40 | +### Formatting & Linting |
| 41 | +- **Strict Clippy**: We enforce `clippy::unwrap_used`. **NEVER** use `.unwrap()` or `.expect()`. |
| 42 | +- **Formatting**: Run `make fmt` to apply standard Rust formatting. |
| 43 | +- **Imports**: Group imports by crate (std, external, internal). |
| 44 | + |
| 45 | +### Error Handling |
| 46 | +- **No Panics**: Libraries should almost never panic. Use `Result` for all error conditions. |
| 47 | +- **Error Type**: Use `NonoError` for all errors. Propagate using `?`. |
| 48 | +- **Must Use**: Apply `#[must_use]` to functions returning critical `Result`s. |
| 49 | + |
| 50 | +### Naming Conventions |
| 51 | +- **Types/Traits**: `PascalCase` (e.g., `SandboxState`, `CapabilitySet`). |
| 52 | +- **Functions/Variables**: `snake_case` (e.g., `apply_sandbox`, `is_supported`). |
| 53 | +- **Constants**: `SCREAMING_SNAKE_CASE` (e.g., `MAX_PATH_LENGTH`). |
| 54 | + |
| 55 | +## Security Mandates (CRITICAL) |
| 56 | + |
| 57 | +**SECURITY IS NON-NEGOTIABLE.** Every change must be evaluated through a security lens. |
| 58 | + |
| 59 | +### Path Handling |
| 60 | +- **Canonicalization**: Always canonicalize paths at the enforcement boundary. |
| 61 | +- **Comparison**: Use `Path::components()` or `Path::starts_with()`. |
| 62 | + - **NEVER** use string operations like `str::starts_with()` for paths (vulnerable to `/home` vs `/homeevil`). |
| 63 | +- **Symlinks**: Be aware of TOCTOU (Time-of-Check Time-of-Use) race conditions. |
| 64 | + |
| 65 | +### Memory & Arithmetic |
| 66 | +- **Secrets**: Use the `zeroize` crate for sensitive data (keys/passwords) in memory. |
| 67 | +- **Math**: Use `checked_`, `saturating_`, or `overflowing_` methods for security-critical arithmetic. |
| 68 | + |
| 69 | +### Safe Code |
| 70 | +- **Unsafe**: Restrict `unsafe` code to FFI modules only. |
| 71 | +- **Documentation**: All `unsafe` blocks must be wrapped in `// SAFETY:` comments explaining why it is safe. |
| 72 | + |
| 73 | +### Principles |
| 74 | +- **Least Privilege**: Only grant the minimum necessary capabilities. |
| 75 | +- **Fail Secure**: On any error, deny access. Never silently degrade to a less secure state. |
| 76 | +- **Explicit Over Implicit**: Security-relevant behavior must be explicit and auditable. |
| 77 | + |
| 78 | +## Usage Example (Library) |
| 79 | + |
| 80 | +The core library (`crates/nono`) provides the sandbox primitive. Clients must construct a `CapabilitySet` and apply it. |
| 81 | + |
| 82 | +```rust |
| 83 | +use nono::{CapabilitySet, AccessMode, Sandbox}; |
| 84 | + |
| 85 | +fn main() -> nono::Result<()> { |
| 86 | + // Build capability set - client must add ALL paths |
| 87 | + let caps = CapabilitySet::new() |
| 88 | + .allow_path("/usr", AccessMode::Read)? |
| 89 | + .allow_path("/project", AccessMode::ReadWrite)? |
| 90 | + .block_network(); |
| 91 | + |
| 92 | + // Check platform support |
| 93 | + let support = Sandbox::support_info(); |
| 94 | + if !support.is_supported { |
| 95 | + eprintln!("Warning: {}", support.details); |
| 96 | + } |
| 97 | + |
| 98 | + // Apply sandbox - this is irreversible |
| 99 | + Sandbox::apply(&caps)?; |
| 100 | + |
| 101 | + Ok(()) |
| 102 | +} |
| 103 | +``` |
| 104 | + |
| 105 | +## Implementation Guidelines |
| 106 | + |
| 107 | +### Library vs CLI |
| 108 | +- **Library (`crates/nono`)**: Policy-free. Applies *only* what is in `CapabilitySet`. |
| 109 | +- **CLI (`crates/nono-cli`)**: Defines policy (deny rules, sensitive paths). |
| 110 | + |
| 111 | +### Platform Specifics |
| 112 | +- **Linux (Landlock)**: Strictly allow-list. Cannot express deny-within-allow. |
| 113 | +- **macOS (Seatbelt)**: Scheme-like DSL. Supports explicit deny rules. |
| 114 | +- **Cross-Platform**: Design abstractions that work securely on both. Test on both if possible. |
| 115 | + |
| 116 | +### Common Pitfalls to Avoid |
| 117 | +1. **Silent Fallbacks**: `unwrap_or_default()` on security config returns empty permissions (no protection). Fail hard instead. |
| 118 | +2. **Broad Permissions**: Do not grant access to entire directories when specific paths suffice. |
| 119 | +3. **Environment Variables**: Validate `HOME`, `TMPDIR`, etc. before use. Do not assume they are trustworthy. |
| 120 | +4. **Dead Code**: Avoid `#[allow(dead_code)]`. Remove unused code or write tests for it. |
| 121 | + |
| 122 | +## Testing Strategy |
| 123 | +When writing tests for new capabilities: |
| 124 | +1. **Unit Tests**: Verify the logic of `CapabilitySet` construction. |
| 125 | +2. **Integration Tests**: Use `tests/` directory to run actual sandbox enforcement checks. |
| 126 | +3. **Platform Checks**: Use `#[cfg(target_os = "linux")]` or `#[cfg(target_os = "macos")]` if the test is platform-specific. |
| 127 | + |
| 128 | +## Quick Reference |
| 129 | +- **Check code quality**: `make clippy` |
| 130 | +- **Fix formatting**: `make fmt` |
| 131 | +- **Run all tests**: `make test` |
0 commit comments