{"version":3,"term":{"cols":80,"rows":24},"timestamp":1777752464,"command":"npm run demo:record:nono","env":{"SHELL":"/bin/zsh"}}
[0.234, "o", "\r\n> zt-adapter-hello-world@0.1.0 demo:record:nono\r\n> bash scripts/record-nono-demo.sh\r\n\r\n"]
[0.018, "o", "Zero Trust Nono Execution Broker demo\r\n=====================================\r\nGoal: deny a sandbox spawn request, then approve the same action and launch it through nono.\r\n"]
[0.000, "o", "\r\n$ nono --version\r\n"]
[0.008, "o", "nono 0.46.0\r\n"]
[0.001, "o", "\r\n$ npm run zt:mock\r\n"]
[0.396, "o", "mock control plane is listening at http://127.0.0.1:3001\r\n"]
[0.000, "o", "\r\n$ curl -sS -X POST http://127.0.0.1:3001/agents -H 'content-type: application/json' -d '{\"actor\":\"demo-agent\"}'\r\n"]
[0.018, "o", "{\r\n  \"ok\": true,\r\n  \"actor\": \"demo-agent\",\r\n  \"registered\": true\r\n}\r\n"]
[0.001, "o", "\r\n\r\nAttempt to spawn a sandboxed agent before policy allows it. This must be blocked.\r\n"]
[0.000, "o", "\r\n$ env ZT_CONTROL_PLANE_URL=http://127.0.0.1:3001 ZT_ACTOR=demo-agent NONO_BIN=nono npm run demo:nono:deny\r\n"]
[0.232, "o", "\r\n> zt-adapter-hello-world@0.1.0 demo:nono:deny\r\n> node src/demo-nono.js deny\r\n\r\n"]
[0.127, "o", "{\r\n  \"broker\": \"nono-cli\",\r\n  \"actor\": \"demo-agent\",\r\n  \"action\": \"broker.nono.spawn_agent\",\r\n  \"resource\": \"repo/example\",\r\n  \"decision\": \"deny\",\r\n  \"reason\": \"action is not in the allow list\",\r\n  \"executionSkipped\": true,\r\n  \"permissions\": {\r\n    \"allow\": [],\r\n    \"read\": [],\r\n    \"write\": [],\r\n    \"allowFile\": [],\r\n    \"readFile\": [],\r\n    \"writeFile\": [],\r\n    \"allowDomain\": [],\r\n    \"listenPort\": [],\r\n    \"openPort\": [],\r\n    \"profile\": \"\",\r\n    \"workdir\": \"\",\r\n    \"networkProfile\": \"\",\r\n    \"allowCwd\": true,\r\n    \"blockNet\": true,\r\n    \"rollback\": false,\r\n    \"auditIntegrity\": false,\r\n    \"dryRun\": false\r\n  },\r\n  \"audit\": {\r\n    \"previous_hash\": \"0000000000000000000000000000000000000000000000000000000000000000\",\r\n    \"current_hash\": \"5e930c77be518b3804db9f4e084b9c0308cf452c3060207e7f5f4ff0aba0b028\",\r\n    \"kms_signature\": {\r\n      \"algorithm\": \"MOCK_ECDSA_SHA_256\",\r\n      \"key_id\": \"mock-key\",\r\n      \"signature\": \"mock-signature\"\r\n    }\r\n  }\r\n}\r\n"]
[0.014, "o", "\r\nApply policy for the Nono sandbox broker action.\r\n"]
[0.000, "o", "\r\n$ curl -sS -X POST http://127.0.0.1:3001/policies/allow -H 'content-type: application/json' -d '{\"action\":\"broker.nono.spawn_agent\",\"reason\":\"Policy allows this actor to spawn the demo Nono sandbox.\"}'\r\n"]
[0.017, "o", "{\r\n  \"ok\": true,\r\n  \"action\": \"broker.nono.spawn_agent\",\r\n  \"decision\": \"allow\"\r\n}\r\n"]
[0.001, "o", "\r\n\r\nSpawn the approved sandbox through Nono with network blocked.\r\n"]
[0.000, "o", "\r\n$ env ZT_CONTROL_PLANE_URL=http://127.0.0.1:3001 ZT_ACTOR=demo-agent NONO_BIN=nono npm run demo:nono:allow\r\n"]
[0.245, "o", "\r\n> zt-adapter-hello-world@0.1.0 demo:nono:allow\r\n> node src/demo-nono.js allow\r\n\r\n"]
[1.345, "o", "{\r\n  \"broker\": \"nono-cli\",\r\n  \"actor\": \"demo-agent\",\r\n  \"action\": \"broker.nono.spawn_agent\",\r\n  \"resource\": \"repo/example\",\r\n  \"decision\": \"allow\",\r\n  \"reason\": \"Policy allows this actor to spawn the demo Nono sandbox.\",\r\n  \"executionSkipped\": false,\r\n  \"permissions\": {\r\n    \"allow\": [],\r\n    \"read\": [],\r\n    \"write\": [],\r\n    \"allowFile\": [],\r\n    \"readFile\": [],\r\n    \"writeFile\": [],\r\n    \"allowDomain\": [],\r\n    \"listenPort\": [],\r\n    \"openPort\": [],\r\n    \"profile\": \"\",\r\n    \"workdir\": \"\",\r\n    \"networkProfile\": \"\",\r\n    \"allowCwd\": true,\r\n    \"blockNet\": true,\r\n    \"rollback\": false,\r\n    \"auditIntegrity\": false,\r\n    \"dryRun\": false\r\n  },\r\n  \"audit\": {\r\n    \"previous_hash\": \"0000000000000000000000000000000000000000000000000000000000000000\",\r\n    \"current_hash\": \"75f6eab51388e96d51987fbf95d213e8f2f4b1aa093fb07117e58242d9ba6c0c\",\r\n    \"kms_signature\": {\r\n      \"algorithm\": \"MOCK_ECDSA_SHA_256\",\r\n      \"key_id\": \"mock-key\",\r\n      \"signature\": \"mock-signature\"\r\n    }\r\n  },\r\n  \"sandbox\": {\r\n    \"command\": \"nono\",\r\n    \"args\": [\r\n      \"--silent\",\r\n      \"run\",\r\n      \"--name\",\r\n      \"zt-demo-agent\",\r\n      \"--allow-cwd\",\r\n      \"--block-net\",\r\n      \"--\",\r\n      \"node\",\r\n      \"-e\",\r\n      \"console.log('hello from a policy-approved Nono sandbox action')\"\r\n    ],\r\n    \"exitCode\": 0,\r\n    \"stdout\": \"hello from a policy-approved Nono sandbox action\\n\"\r\n  }\r\n}\r\n"]
[0.016, "o", "\r\nDemo complete: the broker skipped Nono on deny, then invoked Nono only after policy returned allow.\r\n"]
[0.018, "x", "0"]