strict-web mode the
ambient ones — system clock, randomness, and environment variables — start as
deterministic stand-ins, and you grant the real source explicitly. This is
deliberately source selection (deterministic ↔ real), not a binary allow/deny:
denying a program a clock outright would break ordinary code, so the safe default
is a reproducible substitute.
The grants
All run-style commands (run, dev, task, x) accept the same flags:
| Flag | Grants |
|---|---|
--allow-clock | Real wall-clock + monotonic time, plus real timezone/locale rendering. |
--allow-random | OS entropy for Math.random and crypto.getRandomValues. |
--allow-env | All host environment variables become visible. |
--allow-env=HOME,PATH | Only the named variables resolve; everything else stays invisible. |
--trust | All of the above — full host access. |
Environment grants are scoped allowlists, not all-or-nothing.
--allow-env=A,B
exposes exactly A and B; every other lookup returns undefined. Bare
--allow-env is the widest grant and exposes everything.Persistent opt-out
For machines where you always want full host access, set an environment variable instead of typing flags:--trust on every run. Power users can work
nag-free; security-conscious CI stays locked down by simply not setting it.
Mode interacts with grants
The starting point depends on your mode:- strict-web
- node-compat
Clock, randomness, and environment all start as deterministic stand-ins. You
grant real sources with the flags above. Environment is fully invisible until
granted (and there is no
process global at all).The ephemeral-execution envelope
meow x (and the npx/bunx shims) print a one-line security envelope before
running a freshly downloaded package, so you always know what access it has:
Scope
See determinism for the mechanics
Exactly what the clock, RNG, and env stand-ins do.