Skip to content
Knitting

Permissions

Workers execute task code, so permission policy controls what those workers can access at runtime.

Set permission in createPool(...):

import { createPool, task } from "@vixeny/knitting";


export const work = task({
  f: async (x: number) => x * 2,
});


createPool({
  threads: 2,
  permission: {},
})({ work });

Modes

Section titled “Modes”
  • omit permission strict defaults plus allowImport: true (web imports allowed).
  • permission: {} or permission: { mode: "strict" } conservative defaults in explicit strict mode.
  • permission: "unsafe" disables permission flags and strips inherited Node permission flags.

console can be set in object mode for compatibility. Default is false in strict mode and true in unsafe mode.

createPool({ permission: { mode: "strict", console: true } })({ work });
createPool({ permission: "unsafe" })({ work });

Strict defaults

Section titled “Strict defaults”

Strict mode computes a conservative profile:

  • read/write rooted at current cwd
  • deny-write for node_modules
  • deny read/write for sensitive paths: .env, .git, .npmrc, .docker, .secrets, ~/.ssh, ~/.gnupg, ~/.aws, ~/.azure, ~/.config/gcloud, ~/.kube
  • deny read/write for POSIX-sensitive paths: /proc, /proc/self, /proc/self/environ, /proc/self/mem, /sys, /dev, /etc
  • read support for deno.lock and bun.lock*

permission: "unsafe" disables runtime permission flags and strips inherited Node permission flags from worker execArgv.

Runtime mapping

Section titled “Runtime mapping”

Permission protocol values are mapped to each runtime differently.

Node.js workers

Section titled “Node.js workers”

Workers receive --permission / --experimental-permission plus:

  • --allow-fs-read
  • --allow-fs-write
  • --allow-worker
  • --allow-child-process
  • --allow-addons
  • --allow-wasi

Node worker flags are allow-list based, so protocol deny lists are not expressible as Node worker flags.

Deno workers

Section titled “Deno workers”

Workers receive Worker.deno.permissions when enabled.

This is applied only when one of these is true:

  • --unstable-worker-options is detected (Linux /proc probe), or
  • KNITTING_DENO_WORKER_PERMISSIONS=1 is set.

Bun workers

Section titled “Bun workers”

Bun currently has no worker permission flags. Protocol values are accepted for API compatibility but are not enforced by Bun runtime flags.

Process execution overrides

Section titled “Process execution overrides”

Object mode supports runtime-specific process execution overrides:

  • node.allowChildProcess?: boolean
  • deno.allowRun?: boolean

Both default to false in strict mode.