Supply chain sprawl
One service can pull hundreds of transitive packages into production. Most teams know what they import, not what those packages can touch.
Security without slowing the release train
Permissions and policy for the Node ecosystem we actually ship.
permjs gives Node teams a cleaner way to reason about package access, environment boundaries, and runtime behavior before one dependency or one forgotten flag turns into an incident.
Node teams are under pressure
The hard part is not shipping code. It is trusting what that code can do.
Environment drift
Local, CI, staging, and prod all carry different secrets, flags, and runtime assumptions. That drift quietly widens the blast radius.
Runtime blind spots
A passing build does not tell you when a package opens a socket, touches the filesystem, or reaches for child processes at runtime.
Policy as tribal knowledge
Security guidance often lives in docs or memory instead of code. permjs turns expectations into something your app can enforce.
Console-first workflow
Made for developers who live in terminals, pipelines, and pull requests.
$ permjs init
> generated permjs.policy.json
$ permjs check
allow fs.read: ./src/**
allow env.read: NODE_ENV
review net.connect: api.thirdparty.dev
deny child_process.exec: curl | bash
next step: tighten outbound network policy before release
Simple rollout
Start with visibility, add policy where it matters, and let teams keep moving. The goal is practical guardrails for modern Node apps, not a mountain of security theater.
- Readable install docs for package consumers
- Static marketing surface with room to grow into product docs
- Designed to deploy as plain files to S3 and CloudFront
Docs-ready foundation