# Nippels User Guide **Complete guide to using Nippels (NimPak Cells) for application isolation** --- ## Table of Contents 1. [Introduction](#introduction) 2. [Quick Start](#quick-start) 3. [CLI Commands Reference](#cli-commands-reference) 4. [Security Profiles](#security-profiles) 5. [Isolation Levels](#isolation-levels) 6. [Common Use Cases](#common-use-cases) 7. [Troubleshooting](#troubleshooting) 8. [Advanced Topics](#advanced-topics) --- ## Introduction **Nippels (NimPak Cells)** are lightweight, namespace-based application isolation environments. They provide: - ⚡ **Lightning-fast startup** (< 50ms overhead) - 🔒 **Strong isolation** (Linux kernel namespaces) - 🎨 **Perfect desktop integration** (native themes, fonts, clipboard) - 💾 **Efficient storage** (content-addressable deduplication) - 🔄 **Reproducibility** (merkle tree verification) - 🤖 **AI-addressability** (UTCP protocol) ### When to Use Nippels ✅ **Perfect for:** - Isolating web browsers (work vs personal) - Gaming environments - Development environments - Untrusted applications - Security-sensitive apps ❌ **Not ideal for:** - System utilities (use regular nip packages) - Command-line tools (use user environments) - Server software (use Nexus Capsules) --- ## Quick Start ### Creating Your First Nippel ```bash # Create a Nippel with default settings nip cell create my-browser # Install Firefox into the Nippel nip install --cell=my-browser firefox # Activate the Nippel nip cell activate my-browser # Run Firefox (now isolated) firefox ``` ### Creating with a Security Profile ```bash # Create with Workstation profile (balanced) nip cell create work-browser --profile=workstation # Create with Satellite profile (maximum portability) nip cell create portable-browser --profile=satellite # Create with Server profile (minimal desktop integration) nip cell create headless-app --profile=server ``` ### Listing and Managing Nippels ```bash # List all Nippels nip cell list # Show Nippel details nip cell show my-browser # Remove a Nippel nip cell remove my-browser # Deactivate current Nippel nip cell deactivate ``` --- ## CLI Commands Reference ### Core Commands #### `nip cell create [options]` Create a new Nippel. **Options:** - `--profile=` - Security profile (workstation, homestation, satellite, networkiot, server) - `--isolation=` - Isolation level (none, standard, strict, quantum) - `--customize=` - Custom profile overrides (JSON format) - `--network=` - Network access (full, limited, none) - `--filesystem=` - Filesystem access (full, home, limited, none) **Examples:** ```bash # Basic creation nip cell create firefox-isolated # With specific profile nip cell create banking --profile=satellite --isolation=strict # With custom settings nip cell create dev-env --customize='{"desktopIntegration":true,"networkAccess":"full"}' # With network restrictions nip cell create untrusted --network=none --filesystem=none ``` #### `nip cell activate ` Activate a Nippel for the current session. **Examples:** ```bash # Activate Nippel nip cell activate firefox-isolated # Check active Nippel nip cell status # Deactivate nip cell deactivate ``` #### `nip cell list [options]` List all Nippels. **Options:** - `--active` - Show only active Nippels - `--profile=` - Filter by profile - `--format=` - Output format (table, json, yaml) **Examples:** ```bash # List all Nippels nip cell list # List active Nippels only nip cell list --active # List with specific profile nip cell list --profile=satellite # JSON output nip cell list --format=json ``` #### `nip cell show ` Show detailed information about a Nippel. **Examples:** ```bash # Show Nippel details nip cell show firefox-isolated # Show with merkle tree info nip cell show firefox-isolated --merkle # Show with UTCP address nip cell show firefox-isolated --utcp ``` #### `nip cell remove [options]` Remove a Nippel. **Options:** - `--purge` - Also remove user data - `--force` - Force removal even if active **Examples:** ```bash # Remove Nippel (keep user data) nip cell remove firefox-isolated # Remove with user data nip cell remove firefox-isolated --purge # Force removal nip cell remove firefox-isolated --force ``` ### Profile Management #### `nip cell profile list` List available security profiles. **Example:** ```bash nip cell profile list ``` **Output:** ``` Available Security Profiles: - workstation: Balanced security and usability (default) - homestation: Maximum desktop integration - satellite: Maximum portability - networkiot: Minimal resources, network-focused - server: Minimal desktop integration ``` #### `nip cell profile show ` Show current profile of a Nippel. **Example:** ```bash nip cell profile show firefox-isolated ``` **Output:** ``` Nippel: firefox-isolated Profile: workstation Isolation Level: standard Desktop Integration: enabled Network Access: full Resource Limits: moderate ``` #### `nip cell profile set ` Change the security profile of a Nippel. **Example:** ```bash # Change to stricter profile nip cell profile set firefox-isolated satellite # Verify change nip cell profile show firefox-isolated ``` ### Verification Commands #### `nip cell verify [options]` Verify Nippel integrity using merkle tree. **Options:** - `--fix` - Attempt to fix integrity issues - `--verbose` - Show detailed verification results **Examples:** ```bash # Verify Nippel integrity nip cell verify firefox-isolated # Verify with detailed output nip cell verify firefox-isolated --verbose # Verify and fix issues nip cell verify firefox-isolated --fix ``` **Output:** ``` Verifying Nippel: firefox-isolated Merkle Root: xxh3-abc123def456... Files Checked: 1,234 Status: ✅ VERIFIED ``` #### `nip cell query [method]` Query Nippel via UTCP protocol. **Methods:** - `state` - Get Nippel state - `merkle` - Get merkle tree root - `activate` - Activate Nippel - `deactivate` - Deactivate Nippel **Examples:** ```bash # Query Nippel state nip cell query utcp://localhost/nippel/firefox-isolated state # Get merkle root nip cell query utcp://localhost/nippel/firefox-isolated merkle # Activate via UTCP nip cell query utcp://localhost/nippel/firefox-isolated activate ``` ### Package Management #### `nip install --cell= ` Install package into a Nippel. **Examples:** ```bash # Install from default repository nip install --cell=firefox-isolated firefox # Install from AUR nip install --cell=firefox-isolated --graft=aur firefox # Install from Nix nip install --cell=firefox-isolated --graft=nix firefox # Install multiple packages nip install --cell=dev-env gcc gdb valgrind ``` #### `nip remove --cell= ` Remove package from a Nippel. **Examples:** ```bash # Remove package nip remove --cell=firefox-isolated firefox-addon # Remove multiple packages nip remove --cell=dev-env gcc gdb ``` #### `nip update --cell=` Update packages in a Nippel. **Examples:** ```bash # Update all packages in Nippel nip update --cell=firefox-isolated # Update specific package nip update --cell=firefox-isolated firefox ``` ### Backup and Restore #### `nip cell export [options]` Export Nippel to portable archive. **Options:** - `--output=` - Output file path - `--compress=` - Compression level (0-9) - `--include-data` - Include user data (default: true) **Examples:** ```bash # Export Nippel nip cell export firefox-isolated --output=firefox.nippel.tar.zst # Export without user data nip cell export firefox-isolated --output=firefox-clean.nippel.tar.zst --include-data=false ``` #### `nip cell import [options]` Import Nippel from archive. **Options:** - `--name=` - Custom name for imported Nippel - `--verify` - Verify integrity after import **Examples:** ```bash # Import Nippel nip cell import firefox.nippel.tar.zst # Import with custom name nip cell import firefox.nippel.tar.zst --name=firefox-restored # Import and verify nip cell import firefox.nippel.tar.zst --verify ``` --- ## Security Profiles Nippels support five security profiles, each optimized for different use cases: ### 1. Workstation Profile (Default) **Best for:** Daily desktop use, balanced security and usability **Settings:** - Isolation Level: Standard - Desktop Integration: Full - Network Access: Full - Resource Limits: Moderate - XDG Strategy: Portable **Use Cases:** - Web browsers for general use - Office applications - Media players - Communication apps **Example:** ```bash nip cell create firefox-work --profile=workstation ``` ### 2. Homestation Profile **Best for:** Home desktop, maximum convenience **Settings:** - Isolation Level: Standard - Desktop Integration: Maximum - Network Access: Full - Resource Limits: Relaxed - XDG Strategy: System-integrated **Use Cases:** - Personal applications - Gaming - Media creation - Home automation **Example:** ```bash nip cell create gaming --profile=homestation ``` ### 3. Satellite Profile **Best for:** Portable environments, maximum isolation **Settings:** - Isolation Level: Strict - Desktop Integration: Minimal - Network Access: Limited - Resource Limits: Strict - XDG Strategy: Portable **Use Cases:** - Untrusted applications - Security-sensitive apps - Banking/financial apps - Portable environments **Example:** ```bash nip cell create banking --profile=satellite ``` ### 4. NetworkIOT Profile **Best for:** Network-focused, minimal resources **Settings:** - Isolation Level: Standard - Desktop Integration: None - Network Access: Full - Resource Limits: Minimal - XDG Strategy: System-integrated **Use Cases:** - Network services - IoT applications - Headless tools - Monitoring agents **Example:** ```bash nip cell create mqtt-client --profile=networkiot ``` ### 5. Server Profile **Best for:** Server applications, no desktop **Settings:** - Isolation Level: Strict - Desktop Integration: None - Network Access: Full - Resource Limits: Moderate - XDG Strategy: System-integrated **Use Cases:** - Server applications - Background services - Headless applications - System daemons **Example:** ```bash nip cell create web-server --profile=server ``` --- ## Isolation Levels Nippels support four isolation levels: ### 1. None **Description:** No isolation, runs in host environment **Namespaces:** None **Use Cases:** - Testing - Development - Debugging **Example:** ```bash nip cell create test-app --isolation=none ``` ### 2. Standard (Default) **Description:** Balanced isolation for most applications **Namespaces:** - Mount namespace (filesystem isolation) - PID namespace (process isolation) - IPC namespace (inter-process communication isolation) **Use Cases:** - Web browsers - Office applications - Media players - Most desktop apps **Example:** ```bash nip cell create firefox-isolated --isolation=standard ``` ### 3. Strict **Description:** Strong isolation for security-sensitive apps **Namespaces:** - Mount namespace - PID namespace - IPC namespace - Network namespace (network isolation) - UTS namespace (hostname isolation) **Use Cases:** - Banking applications - Password managers - Untrusted applications - Security-sensitive apps **Example:** ```bash nip cell create banking --isolation=strict ``` ### 4. Quantum **Description:** Maximum isolation, complete separation **Namespaces:** - All namespaces (mount, PID, IPC, network, UTS, user) - Complete filesystem isolation - No network access - No system integration **Use Cases:** - Completely untrusted applications - Malware analysis - Maximum security scenarios **Example:** ```bash nip cell create untrusted --isolation=quantum --network=none ``` --- ## Common Use Cases ### Use Case 1: Isolated Web Browsers **Scenario:** Separate work and personal browsing ```bash # Create work browser nip cell create work-browser --profile=workstation nip install --cell=work-browser firefox # Create personal browser nip cell create personal-browser --profile=workstation nip install --cell=personal-browser firefox # Use work browser nip cell activate work-browser firefox # Opens work browser with work bookmarks/history # Switch to personal browser nip cell deactivate nip cell activate personal-browser firefox # Opens personal browser with personal bookmarks/history ``` **Benefits:** - Complete separation of cookies, cache, history - Different extensions per browser - Work and personal data never mix - Easy to backup each separately ### Use Case 2: Gaming Environment **Scenario:** Isolated gaming setup ```bash # Create gaming environment nip cell create gaming --profile=homestation nip install --cell=gaming steam discord lutris wine # Activate and game nip cell activate gaming steam # Runs in isolated environment # Backup gaming environment nip cell export gaming --output=gaming-backup.tar.zst ``` **Benefits:** - Keep game files separate from work files - Easy backup of entire gaming setup - No anti-cheat software scanning your system - Portable to other machines ### Use Case 3: Development Environments **Scenario:** Multiple isolated development environments ```bash # Python development nip cell create python-dev --profile=workstation nip install --cell=python-dev python poetry pytest black mypy # Node.js development nip cell create node-dev --profile=workstation nip install --cell=node-dev nodejs npm yarn typescript # Rust development nip cell create rust-dev --profile=workstation nip install --cell=rust-dev rustc cargo # Switch between environments nip cell activate python-dev python --version # Python environment nip cell activate node-dev node --version # Node.js environment ``` **Benefits:** - No dependency conflicts - Clean, isolated environments - Easy to recreate - Portable across machines ### Use Case 4: Banking and Financial Apps **Scenario:** Maximum security for financial applications ```bash # Create strict banking environment nip cell create banking --profile=satellite --isolation=strict # Install banking apps nip install --cell=banking firefox # Activate for banking nip cell activate banking firefox https://mybank.com # Completely isolated # Deactivate when done nip cell deactivate ``` **Benefits:** - Complete isolation from other apps - No access to personal files - Limited network access - Maximum security ### Use Case 5: Untrusted Applications **Scenario:** Run untrusted software safely ```bash # Create quantum-isolated environment nip cell create untrusted --profile=satellite --isolation=quantum --network=none # Activate and run untrusted app nip cell activate untrusted ./suspicious-binary # Completely isolated, no network, no file access # Verify integrity after nip cell verify untrusted ``` **Benefits:** - Complete isolation - No network access - No file system access - Safe to run untrusted code --- ## Troubleshooting ### Common Issues #### Issue: "Permission denied" when creating Nippel **Cause:** Insufficient permissions for namespace creation **Solution:** ```bash # Run with sudo (for system-wide Nippels) sudo nip cell create my-app # Or create user-level Nippel (no sudo needed) nip cell create my-app --user ``` #### Issue: Application doesn't see system themes **Cause:** Desktop integration disabled or wrong profile **Solution:** ```bash # Check current profile nip cell profile show my-app # Change to profile with desktop integration nip cell profile set my-app workstation # Or customize current profile nip cell customize my-app --desktop-integration=true ``` #### Issue: Application can't access network **Cause:** Network isolation enabled **Solution:** ```bash # Check isolation level nip cell show my-app # Change to standard isolation (allows network) nip cell profile set my-app workstation --isolation=standard # Or customize network access nip cell customize my-app --network=full ``` #### Issue: Nippel verification fails **Cause:** File corruption or tampering **Solution:** ```bash # Verify with details nip cell verify my-app --verbose # Attempt to fix nip cell verify my-app --fix # If unfixable, restore from backup nip cell import my-app-backup.nippel.tar.zst --name=my-app-restored ``` #### Issue: Slow Nippel activation **Cause:** Large number of files or slow storage **Solution:** ```bash # Check Nippel size nip cell show my-app # Clean up cache nip cell clean my-app --cache # Optimize CAS nip cas optimize # Check for disk issues nip doctor ``` ### Diagnostic Commands ```bash # Check Nippel health nip cell doctor my-app # Show detailed status nip cell status --verbose # Check CAS integrity nip cas verify # Show system information nip info # Enable debug logging nip --log-level=debug cell activate my-app ``` ### Getting Help ```bash # Show help for any command nip cell --help nip cell create --help nip cell profile --help # Show version information nip --version # Report issues nip bug-report ``` --- ## Advanced Topics ### Custom Profile Overrides You can customize any profile with specific overrides: ```bash # Create with custom overrides (JSON) nip cell create my-app --customize='{ "isolationLevel": "strict", "desktopIntegration": true, "networkAccess": "limited", "resourceLimits": { "maxMemory": "2GB", "maxCPU": "50%" } }' # Or use a file nip cell create my-app --customize-file=overrides.json ``` ### UTCP Protocol Nippels are AI-addressable via UTCP (Universal Transport Control Protocol): ```bash # Get UTCP address nip cell show my-app --utcp # Output: utcp://localhost/nippel/my-app # Query via UTCP nip cell query utcp://localhost/nippel/my-app state # Remote query (if enabled) nip cell query utcp://remote-host/nippel/my-app state ``` ### Merkle Tree Verification Nippels use merkle trees for integrity verification: ```bash # Show merkle root nip cell show my-app --merkle # Output: Merkle Root: xxh3-abc123def456... # Verify integrity nip cell verify my-app # Show merkle tree structure nip cell merkle my-app --tree # Compare with another Nippel nip cell merkle diff my-app other-app ``` ### Decentralized Features Nippels support decentralized operation: ```bash # Announce Nippel to network nip cell announce my-app # Discover Nippels on network nip cell discover # Sync with remote Nippel nip cell sync my-app --from=utcp://remote-host/nippel/my-app # Join decentralized cluster nip cluster join my-cluster ``` ### Performance Tuning ```bash # Enable lazy namespace creation nip config set lazy-namespaces true # Adjust CAS cache size nip config set cas-cache-size 1GB # Enable parallel operations nip config set parallel-ops true # Tune merkle tree cache nip config set merkle-cache-size 100MB ``` --- ## See Also - [Nippels vs Flatpak](./NIPPELS_VS_FLATPAK.md) - Comparison with Flatpak - [Nippels vs Packages](./NIPPELS_VS_PACKAGES.md) - When to use Nippels vs packages - [Nippels Requirements](../../.kiro/specs/nip-nippels/requirements.md) - Technical requirements - [Nippels Design](../../.kiro/specs/nip-nippels/design.md) - Architecture and design - [Security Profiles](./SECURITY_PROFILES.md) - Detailed profile documentation --- **Version:** 1.0 **Last Updated:** November 19, 2025 **Status:** User Documentation **Target Audience:** End users and system administrators