What's new in nono — late March 2026 #589
lukehinds
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
A lot landed in the last two weeks. The big theme: nono is growing up from a local dev tool into something you can run in production. Sessions, manifests, WSL2, and a bunch of proxy work that makes enterprise deployments way more practical.
Detach and reattach to sandboxed agents
You can now run a sandboxed agent in the background and come back to it later.
nono run --detachstarts your agent in a detached PTY, andnono attachreconnects you. There's alsonono psto see what's running,nono stopto kill a session, andnono inspectto peek at its state. Think of it like tmux, but for sandboxed agents. This is shipping as an alpha feature — we'd love feedback on how it feels. (#526)WSL2 just works now
If you're on Windows with WSL2, nono now detects that automatically and adapts. About 84% of features work out of the box — the main gaps (seccomp notify, per-port network filtering) are clearly flagged rather than silently broken. Run
nono setup --check-onlyto see exactly what's available on your system. The remaining gaps will close as the WSL2 kernel catches up. (#522)Portable capability manifests
Profiles are great for authoring, but deploying a sandbox in Kubernetes or CI shouldn't require nono's profile machinery. The new capability manifest is a fully-resolved, portable JSON document — no inheritance, no groups, no variables, just the exact capabilities to enforce. Author your profile locally, export it with
nono policy show <profile> --format manifest, and deploy the result anywhere with--config <file>. (#534)Lock down which API endpoints agents can reach
The proxy already controls which services your agent can talk to. Now you can control which endpoints within those services. The new
--allow-endpointflag takes patterns likegithub:GET:/repos/*/issues/**and blocks everything else with a 403 before credentials are even touched. Useful when you want an agent to read issues but not, say, delete your repo. (#513)Custom CAs and file-based credentials
Two smaller additions that matter a lot for enterprise setups: proxy routes can now specify a
tls_caPEM file for upstream TLS, so you can connect to self-signed endpoints like internal Kubernetes API servers (#548). And credentials can now be loaded from local files viafile://URIs — handy when your secrets are mounted as Kubernetes volumes or dropped by a Vault sidecar (#552).Grab the latest from GitHub or
cargo install nono-cli. Questions? Hit us up in Discussions.Beta Was this translation helpful? Give feedback.
All reactions