b1d497f3

feat: trust nono CA cert inside sandbox

a73x   2026-03-29 16:42

Bind-mount ca.pem and set SSL_CERT_FILE + NODE_EXTRA_CA_CERTS
so tools inside the sandbox trust the MITM proxy's CA.

---

diff --git a/nono b/nono
index 866abd9..044284c 100755
--- a/nono
+++ b/nono
@@ -18,6 +18,16 @@ if [[ "${1:-}" == "allow" ]]; then
    exit
fi

if [[ "${1:-}" == "clean" ]]; then
    if [[ ! -d "$SESSION_DIR" ]]; then
        echo "no overlay session for $(basename "$BASE")"
        exit 0
    fi
    rm -rf "$SESSION_DIR"
    echo "cleaned overlay for $(basename "$BASE")"
    exit
fi

if [[ "${1:-}" == "merge" ]]; then
    if [[ ! -d "$UPPER" ]]; then
        echo "no overlay session for $(basename "$BASE")" >&2
@@ -29,6 +39,7 @@ if [[ "${1:-}" == "merge" ]]; then
        exit 0
    fi
    echo "$patch" | git apply
    rm -rf "$SESSION_DIR"
    echo "merged overlay changes into $BASE"
    exit
fi
@@ -57,6 +68,16 @@ else
    echo "warning: nono-proxy not running on port $PROXY_PORT, no network filtering" >&2
fi

# CA cert for MITM (set if ca.pem exists)
CA_CERT="$STORE/ca.pem"
if [[ -f "$CA_CERT" ]]; then
    args+=(
        --ro-bind "$CA_CERT" "$CA_CERT"
        --setenv SSL_CERT_FILE "$CA_CERT"
        --setenv NODE_EXTRA_CA_CERTS "$CA_CERT"
    )
fi

args+=(
)