> ## Documentation Index
> Fetch the complete documentation index at: https://docs.meow.style/llms.txt
> Use this file to discover all available pages before exploring further.

# Permissions & trust

> The grant model for clock, randomness, and environment — plus what meow does and doesn't sandbox today.

meow models the host as a set of **capabilities**. In `strict-web` mode the
ambient ones — system clock, randomness, and environment variables — start as
deterministic stand-ins, and you grant the real source explicitly. This is
deliberately *source selection* (deterministic ↔ real), not a binary allow/deny:
denying a program a clock outright would break ordinary code, so the safe default
is a reproducible substitute.

## The grants

All run-style commands (`run`, `dev`, `task`, `x`) accept the same flags:

| Flag                    | Grants                                                                 |
| ----------------------- | ---------------------------------------------------------------------- |
| `--allow-clock`         | Real wall-clock + monotonic time, plus real timezone/locale rendering. |
| `--allow-random`        | OS entropy for `Math.random` and `crypto.getRandomValues`.             |
| `--allow-env`           | **All** host environment variables become visible.                     |
| `--allow-env=HOME,PATH` | Only the named variables resolve; everything else stays invisible.     |
| `--trust`               | All of the above — full host access.                                   |

```bash theme={null}
# Deterministic by default (strict-web):
meow run report.ts

# Grant just what you need:
meow run report.ts --allow-clock
meow run report.ts --allow-env=API_BASE,LOG_LEVEL

# Full host access:
meow run report.ts --trust
```

<Note>
  Environment grants are **scoped allowlists**, not all-or-nothing. `--allow-env=A,B`
  exposes exactly `A` and `B`; every other lookup returns `undefined`. Bare
  `--allow-env` is the widest grant and exposes everything.
</Note>

### Persistent opt-out

For machines where you always want full host access, set an environment variable
instead of typing flags:

```bash theme={null}
export MEOW_DANGEROUSLY_DISABLE_SECURITY=1
```

This is equivalent to passing `--trust` on every run. Power users can work
nag-free; security-conscious CI stays locked down by simply not setting it.

## Mode interacts with grants

The starting point depends on your [mode](/concepts/modes):

<Tabs>
  <Tab title="strict-web">
    Clock, randomness, and environment all start as deterministic stand-ins. You
    grant real sources with the flags above. Environment is fully invisible until
    granted (and there is no `process` global at all).
  </Tab>

  <Tab title="node-compat">
    Real clock, OS entropy, and full environment are **on by default** — the run
    behaves like Node. You can still *narrow* the environment with `--allow-env=…`
    if you want a tighter, more reproducible run.
  </Tab>
</Tabs>

## The ephemeral-execution envelope

`meow x` (and the `npx`/`bunx` shims) print a one-line security envelope before
running a freshly downloaded package, so you always know what access it has:

```text theme={null}
🐾 Executing create-next-app in strict isolation.
Set MEOW_DANGEROUSLY_DISABLE_SECURITY=1 or pass --trust to bypass.
```

You can pass grants *after* the package name — they're parsed out of the trailing
arguments, so this works as you'd expect:

```bash theme={null}
meow x wrangler deploy --trust
```

## Scope

<Warning>
  **What the permission model enforces today.**

  meow's enforced capability layer is **clock, randomness, and environment** source
  selection — the [determinism](/concepts/determinism) seam. That part is real and
  on by default in `strict-web`.

  meow is **not** currently a filesystem/network sandbox in the way a hardened
  container is. The internal seams for gating fs and network access exist, but they
  default to allow-all today, and the per-package `permissions` block in
  `meow.config.json` is a **forward-looking schema placeholder** — it is parsed but
  not yet enforced. Determinism is defense-in-depth, not isolation against
  adversarial code (a program using `eval`/FFI or a captured pre-shadow reference can
  still reach the host).

  Bottom line: trust meow to make your runs **reproducible**, and to keep ambient
  nondeterminism out by default. Do **not** treat `strict-web` as a security boundary
  for running code you don't trust.
</Warning>

<Card title="See determinism for the mechanics" icon="lock" href="/concepts/determinism">
  Exactly what the clock, RNG, and env stand-ins do.
</Card>
