AI agent security that makes the dangerous bits structurally impossible.
From the creator of
Sigstore
The standard for secure software attestation, used by PyPI, npm, brew, and Maven Central
Warning
Early alpha -- not yet audited for production use. Active development may cause breakage. Please don't point a coding agent at the repo and raise large LLM-generated security issues, we likely already know about them; instead ask in Discord first.
nono wraps any AI agent or process in a kernel-isolated sandbox in seconds. No hypervisor. No infrastructure required. A single binary, zero added latency, and flexible enough to fit a solo developer's workflow or a fleet of agents running at scale in production.
Platform support: macOS, Linux, and WSL2. Native Windows coming soon.
Install:
brew install nonoOther options in the Installation Guide.
Detach and reattach to sandboxed agents -- Run agents in the background with nono run --detach, reconnect with nono attach. Includes nono ps, nono stop, and nono inspect. (#526)
WSL2 support -- Auto-detection with ~84% feature coverage out of the box. Run nono setup --check-only to see what's available. (#522)
Portable capability manifests -- Export fully-resolved sandbox configs with nono policy show <profile> --format manifest for CI/Kubernetes deployment. (#534)
API endpoint filtering -- Control which endpoints agents can reach with L7 filtering: --allow-endpoint 'github:GET:/repos/*/issues/**'. (#513)
Custom CAs and file-based credentials for k8s -- tls_ca for self-signed endpoints (#548), file:// URIs for mounted secrets (#552).
# Any CLI agent -- just put your command after --
$ nono run --profile claude-code -- claude
# or with tmux style multiplexer and atomic snapshots
$ nono run --detached --profile claude-code --rollback -- claude
Started detached session 7a6a652f7273fe60.
Attach with: nono attach 7a6a652f7273fe60
# Any given command
nono run -- python3 my_agent.py
nono run --read /data -- npx @modelcontextprotocol/server-filesystem /data
nono run --profile codex -- codexBuilt-in profiles for Claude Code, Codex, OpenCode, OpenClaw, and Swival -- or define your own.
The core is a Rust library that can be embedded into any application. Policy-free -- it applies only what clients explicitly request.
use nono::{CapabilitySet, Sandbox};
let mut caps = CapabilitySet::new();
caps.allow_read("/data/models")?;
caps.allow_write("/tmp/workspace")?;
Sandbox::apply(&caps)?; // Irreversible -- kernel-enforced from here onAlso available as Python , TypeScript, Go bindings.
| Feature | Description |
|---|---|
| Kernel sandbox | Landlock (Linux) + Seatbelt (macOS). Irreversible, inherited by child processes. |
| Credential injection | Proxy mode keeps API keys outside the sandbox entirely. Supports keystore, 1Password, Apple Passwords. |
| Attestation | Sigstore-based signing and verification of instruction files (SKILLS.md, CLAUDE.md, etc.). |
| Network filtering | Allowlist-based host and endpoint filtering via local proxy. Cloud metadata endpoints hard-denied. |
| Snapshots | Content-addressable rollback with SHA-256 dedup and Merkle tree integrity. |
| Policy profiles | Pre-built profiles for popular agents and use cases. Custom profile builder for your own needs. |
| Audit logs | Verifiable logs of all agent actions, with optional remote upload and monitoring. |
| Cross-platform | Support for macOS, Linux, and WSL2. Native Windows support in planning. |
| Multiplexing | Run multiple agents in parallel with separate sandboxes. Attach/detach to long-running agents. |
| Runs anywhere | Local CLI, CI pipelines, Containers / Kubernetes, cloud VMs, microVMs. |
See the full documentation for details and configuration.
We encourage using AI tools to contribute. However, you must understand and carefully review any AI-generated code before submitting. Security is paramount. If you don't understand how a change works, ask in Discord first.
If you discover a security vulnerability, please do not open a public issue. Follow the process in our Security Policy.
Apache-2.0