nono: OS-Level
Isolation for AI Agents.
OS-enforced sandboxing for untrusted AI agents and processes.
Brought to you by the creator of
Sigstore
Looking for how to secure OpenClaw?
Security without compromise
Unlike policy-based sandboxes that intercept and filter operations, nono leverages OS security primitives to create an environment where unauthorized operations are structurally impossible.
No Escape Hatch
Once inside nono, there is no mechanism to bypass restrictions. The agent cannot request more permissions because the mechanism doesn't exist.
Agent Agnostic
Works with any AI agent. Actually, more than that. It works with any process you want to sandbox.
OS-Level Enforcement
Kernel denies unauthorized operations directly. No interception, no filtering - operations are structurally impossible.
Cross-Platform
Linux support via Landlock and macOS support via Seatbelt. Native OS security primitives for maximum reliability.
How it works
nono follows a capability-based security model. You grant explicit capabilities, and the OS enforces them at the kernel level.
1
Enter sandbox
You start nono with explicit capabilities for the paths you want to allow.
2
Sandbox applied
OS-level restrictions are applied. This is irreversible for the process.
3
Command executed
The command runs with only granted capabilities. All children inherit restrictions.
Install
Get up and running in seconds.
Building from source requires Rust toolchain. See the docs for more installation options.
Platform support
nono uses native OS security primitives for maximum reliability and performance.
macOS
via Seatbelt
Supported
Linux
via Landlock
Supported
Windows support is planned for a future release.