Skip to main content
meow models the host as a set of capabilities. In strict-web mode the ambient ones — system clock, randomness, and environment variables — start as deterministic stand-ins, and you grant the real source explicitly. This is deliberately source selection (deterministic ↔ real), not a binary allow/deny: denying a program a clock outright would break ordinary code, so the safe default is a reproducible substitute.

The grants

All run-style commands (run, dev, task, x) accept the same flags:
FlagGrants
--allow-clockReal wall-clock + monotonic time, plus real timezone/locale rendering.
--allow-randomOS entropy for Math.random and crypto.getRandomValues.
--allow-envAll host environment variables become visible.
--allow-env=HOME,PATHOnly the named variables resolve; everything else stays invisible.
--trustAll of the above — full host access.
# Deterministic by default (strict-web):
meow run report.ts

# Grant just what you need:
meow run report.ts --allow-clock
meow run report.ts --allow-env=API_BASE,LOG_LEVEL

# Full host access:
meow run report.ts --trust
Environment grants are scoped allowlists, not all-or-nothing. --allow-env=A,B exposes exactly A and B; every other lookup returns undefined. Bare --allow-env is the widest grant and exposes everything.

Persistent opt-out

For machines where you always want full host access, set an environment variable instead of typing flags:
export MEOW_DANGEROUSLY_DISABLE_SECURITY=1
This is equivalent to passing --trust on every run. Power users can work nag-free; security-conscious CI stays locked down by simply not setting it.

Mode interacts with grants

The starting point depends on your mode:
Clock, randomness, and environment all start as deterministic stand-ins. You grant real sources with the flags above. Environment is fully invisible until granted (and there is no process global at all).

The ephemeral-execution envelope

meow x (and the npx/bunx shims) print a one-line security envelope before running a freshly downloaded package, so you always know what access it has:
🐾 Executing create-next-app in strict isolation.
Set MEOW_DANGEROUSLY_DISABLE_SECURITY=1 or pass --trust to bypass.
You can pass grants after the package name — they’re parsed out of the trailing arguments, so this works as you’d expect:
meow x wrangler deploy --trust

Scope

What the permission model enforces today.meow’s enforced capability layer is clock, randomness, and environment source selection — the determinism seam. That part is real and on by default in strict-web.meow is not currently a filesystem/network sandbox in the way a hardened container is. The internal seams for gating fs and network access exist, but they default to allow-all today, and the per-package permissions block in meow.config.json is a forward-looking schema placeholder — it is parsed but not yet enforced. Determinism is defense-in-depth, not isolation against adversarial code (a program using eval/FFI or a captured pre-shadow reference can still reach the host).Bottom line: trust meow to make your runs reproducible, and to keep ambient nondeterminism out by default. Do not treat strict-web as a security boundary for running code you don’t trust.

See determinism for the mechanics

Exactly what the clock, RNG, and env stand-ins do.