All packages built with the NRG framework and CLI (v3 to be announce soon) must declare the permissions they require through a sentinel section in package.json. These declared grants define the resources and capabilities the package intends to use at runtime.
During installation, users are explicitly informed of these requirements and prompted to approve or deny them. Similarly as OAuth apps. This ensures full transparency and gives users control over what a package is allowed to access before it is executed.
By shifting permission awareness to install time, NRG reduces blind trust in third-party packages and establishes a clear security contract between package authors and users.
{
"name": "node-red-contrib-xyz",
"sentinel": {
"grants": [
"network:http",
"network:dns",
"fs:read:/data",
"fs:write:/tmp",
"process:env"
]
}
}
Each grant represents a specific capability, allowing for fine-grained control over sensitive operations such as network access, filesystem interaction, and environment inspection.
NRG CLI V3 will soon be released at: GitHub - AllanOricil/nrg-cli: ⚡️ A powerful CLI tool for generating, building, and managing Node-RED nodes and plugins with best practices. · GitHub
Preview of Framework to author nodes that will be delivered in V3: GitHub - AllanOricil/node-red-vue-template: Write Node-RED nodes using Vue and Typescript · GitHub
NRG Sentinel: GitHub - AllanOricil/nrg-sentinel-public: Runtime Security layer for Node-RED · GitHub
NRG projects include a Vite plugin that statically analyzes the codebase to determine which permissions (“grants”) a package requires. During the build process, these grants are automatically injected into the sentinel section of the package.json.
When the package is installed, Sentinel’s installer presents these required grants to the user, clearly outlining the capabilities the package needs to function as intended. Users can review and approve these permissions before the package is executed.
Once approved, the grants are persisted in a .sentinel-grants.json file within the Node-RED userDir. This file acts as the authoritative source of truth for package permissions at runtime, and can only be modified by Sentinel upon User approval.
In addition, the same file is used by Sentinel’s side panel, where users can inspect, modify, and manage permissions for installed package nodes. Any changes made through the UI are reflected in this file, ensuring consistency between configuration, enforcement, and visibility.
Hi, now that you have released this as a commercial offering, can I suggest that we create a dedicated vendors channel for it ( eg similar to the Flowfuse one) ?
yes, why not. But I think it would not help with visibility right now since there isnt organic growth momentum. Maybe when it becomes wide-spread like the other tooling it would be better to have a separate channel.
I had 0 leads since launch. Cant you help with that? I bet you have contacts 
Hi. I’ll go ahead and get one set up for you. I can’t help with leads as my current employer would not approve, but I think you have plenty of exposure on here with multiple threads both here and on slack.
