GitHub - lukehinds/nono: A secure, kernel-enforced capability sandbox for AI agents. It's the opposite to YOLO

6 min read Original article ↗

nono

A secure, kernel-enforced capability sandbox for AI agents

Join Discord

License CI Status Discord

Warning

This is an early alpha release that has not undergone comprehensive security audit We are also in the process of porting the core to its own library. We still welcome PR's, but note a bit of cat herding maybe involved if the change touches a lot of files.

nono is a secure, kernel-enforced capability shell for running AI agents and any unit process. Unlike policy-based sandboxes that intercept and filter operations, nono leverages OS security primitives (Landlock on Linux, Seatbelt on macOS) to create an environment where unauthorized operations are structurally impossible.

nono also provides protections against destructive commands (rm -rf ..) and provides a way to securely store API keys, tokens, secrets that are injected securely into the process at run time.

Many more features are planned, see the Roadmap below.

Quick Start

MacOS

brew tap lukehinds/nono 
brew install nono

Note

The package is not in homebrew official yet, give us a star to help raise our profile for when request approval

Linux Package Managers

We are in the process of packaging nono for popular Linux distributions. In the meantime, you can use the prebuilt binaries or build from source.

Building from Source

See the Development Guide for instructions on building nono from source.

Supported Clients

nono ships with built-in profiles for popular AI coding agents. Each profile defines audited, minimal permissions so you can get started with a single command.

Client Command Network Docs
Claude Code
Anthropic's CLI coding agent		 nono run --profile claude-code -- claude Allowed Guide
OpenCode
Open-source AI coding assistant		 nono run --profile opencode -- opencode Allowed Guide
OpenClaw
Multi-channel AI agent platform		 nono run --profile openclaw -- openclaw gateway Allowed Guide

Don't see your tool? nono is agent-agnostic and works with any CLI command:

nono run --allow . -- my-agent

Projects using nono

Project Repository
claw-wrap GitHub

Shell Alias (Claude Code example)

For quick access, add a shell function:

sclaude() {
    nono run --profile claude-code --allow . "$@" -- claude
}

Usage:

sclaude                           # Current directory only
sclaude --allow /tmp              # Current directory + /tmp
sclaude --read ~/Documents        # Current directory + read-only ~/Documents

Features

  • No escape hatch - Once inside nono, there is no mechanism to bypass restrictions
  • Agent agnostic - Works with any AI agent (Claude, GPT, opencode, openclaw) or any process
  • OS-level enforcement - Kernel denies unauthorized operations
  • Destructive command blocking - Blocks dangerous commands like rm, dd, chmod by default
  • Cross-platform - Linux (Landlock) and macOS (Seatbelt)

Usage

# Allow read+write to current directory
nono run --allow . -- command

# Separate read and write permissions
nono run --read ./src --write ./output -- cargo build

# Multiple paths
nono run --allow ./project-a --allow ./project-b -- command

# Block network access
nono run --allow . --net-block -- command

# Dry run (show what would be sandboxed)
nono run --allow . --dry-run -- command

# Start an interactive shell inside the sandbox
nono shell --allow .

# Check why a path would be blocked
nono why --path ~/.ssh/id_rsa --op read

Command Blocking

nono blocks dangerous commands by default to prevent AI agents from accidentally (or maliciously) causing harm. This provides defense-in-depth beyond filesystem restrictions.

Blocked Commands

The following categories of commands are blocked by default:

Category Commands
File destruction rm, rmdir, shred, srm
Disk operations dd, mkfs, fdisk, parted, wipefs
Permission changes chmod, chown, chgrp, chattr
System modification shutdown, reboot, halt, systemctl
Package managers apt, brew, pip, yum, pacman
File operations mv, cp, truncate
Privilege escalation sudo, su, doas, pkexec
Network exfiltration scp, rsync, sftp, ftp

Overriding Command Blocks

# Allow a specific blocked command (use with caution)
nono run --allow . --allow-command rm -- rm ./temp-file.txt

# Block an additional command
nono run --allow . --block-command my-dangerous-tool -- my-script.sh

Kernel-Level Protection

nono applies kernel-level protections that limit destructive operations:

  • File deletion blocked outside granted paths - unlink/rmdir syscalls are blocked for system paths like /tmp, /dev, and any path not explicitly granted with --allow or --write
  • Directory deletion blocked everywhere - rmdir is blocked even within granted write paths (Linux: RemoveDir excluded from Landlock rules; macOS: global deny file-write-unlink with targeted overrides for file deletion only)

Within paths you explicitly grant write access to (--allow or --write), file creation, modification, and deletion are permitted - this is necessary for normal file operations like atomic writes.

# File deletion blocked in system paths (even with --allow-command rm)
$ nono run --allow ./project --allow-command rm -- rm /etc/hosts
rm: /etc/hosts: Operation not permitted

How It Works

┌─────────────────────────────────────────────────┐
│  Terminal                                       │
│                                                 │
│  $ nono run --allow ./project -- agent          │
│                                                 │
│  ┌───────────────────────────────────────────┐  │
│  │  nono (applies sandbox, then exec)        │  │
│  │                                           │  │
│  │  ┌─────────────────────────────────────┐  │  │
│  │  │  Agent (sandboxed)            │  │  │
│  │  │  - Can read/write ./project         │  │  │
│  │  │  - Cannot access ~/.ssh, ~/.aws...  │  │  │
│  │  │  - Network: allowed (or blocked)    │  │  │
│  │  └─────────────────────────────────────┘  │  │
│  └───────────────────────────────────────────┘  │
└─────────────────────────────────────────────────┘

Platform Support

Platform Mechanism Kernel Status
macOS Seatbelt 10.5+ Filesystem + Network
Linux Landlock 5.13+ Filesystem
Linux Landlock 6.7+ Filesystem + Network (TCP)
Windows - - Not yet supported

Roadmap

Planned Features

Feature Description
Advisory API Allow agents to preemptively check permissions before attempting operations, avoiding trial-and-error failures
Signed Policy Files Policy files signed and attestable via Sigstore Rekor, with embedded DSSE signed payloads. Users can craft and sign their own default policies
Interactive Permission Mode nono run --interactive spawns a supervisor that prompts when blocked operations are attempted
Network Filtering Fine-grained network controls (e.g. allowlist/denylist hosts, ports, protocols)
Time-Limited Permissions nono run --allow /tmp:5m -- agent grants temporary access that expires automatically
Learning Mode nono learn -- command traces syscalls and generates a minimal capability profile
Ephemeral Mode nono run --ephemeral creates a copy-on-write overlay filesystem where writes are isolated, enabling full undo
Audit Logging nono run --audit-log ./session.jsonl -- command logs all sandbox-relevant operations for post-hoc analysis and replay
Extend Secrets Manager Support Support for popular secrets managers: Bitwarden/1Password/KeePass
nono as a library Expose nono's sandboxing functionality as a library via Rust bindings
Windows Support Implement a Windows version using Job Objects and Windows Sandbox

Security Model

nono follows a capability-based security model with defense-in-depth:

  1. Command validation - Dangerous commands (rm, dd, chmod, etc.) are blocked before execution
  2. Sandbox applied - OS-level restrictions are applied (irreversible)
  3. Kernel enforcement - Directory deletion blocked everywhere; file deletion blocked outside granted write paths
  4. Command executed - The command runs with only granted capabilities
  5. All children inherit - Subprocesses also run under restrictions

Defense Layers

Layer Protection Bypass
Command blocklist Blocks known-dangerous binaries --allow-command
Kernel (dir delete) Blocks directory deletion (rmdir) everywhere None
Kernel (file delete) Blocks file deletion outside granted write paths Explicit --allow / --write
Filesystem sandbox Restricts path access Explicit --allow
Network sandbox Blocks network access Remove --net-block

License

Apache-2.0