In February 2016, a tiny padding package vanished from a public registry during a naming dispute. Thousands of builds broke in minutes because critical pipelines depended on eleven unaudited lines. The incident exposed a runtime habit most teams had learned to ignore: every process could read files, reach the network, spawn child processes, and touch production secrets by default.
The Zero-Trust Default
Nilo flips that assumption entirely. A process starts with zero permissions: no filesystem access, no network sockets, no environment reads, no subprocess spawners. Teams grant capabilities explicitly at launch with flags like --allow-read=./data and --allow-net=api.internal. The constraint lives in the runtime, so an audit reads like a contract instead of a scavenger hunt.