Summary
Registry-installed nono packs are expected to be verified from local provenance metadata before they are used. Two files are relevant:
~/.config/nono/packages/lockfile.json
~/.config/nono/packages/<namespace>/<pack>/.nono-trust.bundle
Testing shows that nono fails closed when a pack has a trust bundle but no lockfile entry. However, if the trust bundle is also absent, the same pack can load successfully. Deleting security metadata should not make a pack easier to run.
Affected behavior
Observed with always-further/claude:
-
Delete ~/.config/nono/packages/lockfile.json.
Result:
nono: Package verification failed for always-further/claude: pack 'always-further/claude' has a trust bundle but no lockfile entry - reinstall with: nono pull always-further/claude --force
-
Delete ~/.config/nono/packages/always-further/claude/.nono-trust.bundle.
Result: the profile loads successfully.
-
Restore .nono-trust.bundle while the lockfile is still absent.
Result:
nono: Package verification failed for always-further/claude: pack 'always-further/claude' has a trust bundle but no lockfile entry - reinstall with: nono pull always-further/claude --force
Impact
If both the lockfile entry and trust bundle are absent, nono may accept an installed registry pack without artifact hash verification or provenance verification.
This is especially important for pack-provided session hooks, because session hooks execute on the host outside the sandbox. A pack that contributes host-executed code should not run unless nono can verify that the code is a locked and trusted pack artifact.
Root cause
verify_profile_packs treats the lockfile entry as optional. Existing code fails when a trust bundle exists without a matching lockfile entry, but when the trust bundle is absent too, there is no equivalent hard failure.
That creates a fail-open state:
- lockfile entry missing
- trust bundle missing
- pack directory still present
- profile can load
Recommended fix
For any registry pack selected for execution, require both:
- A matching lockfile entry in
~/.config/nono/packages/lockfile.json.
- A present and valid
.nono-trust.bundle in the installed pack directory.
If either is missing, fail closed with a reinstall instruction, for example:
reinstall with: nono pull <namespace>/<pack> --force
This keeps verification monotonic: removing provenance metadata cannot downgrade a verification failure into a successful launch.
Summary
Registry-installed nono packs are expected to be verified from local provenance metadata before they are used. Two files are relevant:
~/.config/nono/packages/lockfile.json~/.config/nono/packages/<namespace>/<pack>/.nono-trust.bundleTesting shows that nono fails closed when a pack has a trust bundle but no lockfile entry. However, if the trust bundle is also absent, the same pack can load successfully. Deleting security metadata should not make a pack easier to run.
Affected behavior
Observed with
always-further/claude:Delete
~/.config/nono/packages/lockfile.json.Result:
Delete
~/.config/nono/packages/always-further/claude/.nono-trust.bundle.Result: the profile loads successfully.
Restore
.nono-trust.bundlewhile the lockfile is still absent.Result:
Impact
If both the lockfile entry and trust bundle are absent, nono may accept an installed registry pack without artifact hash verification or provenance verification.
This is especially important for pack-provided session hooks, because session hooks execute on the host outside the sandbox. A pack that contributes host-executed code should not run unless nono can verify that the code is a locked and trusted pack artifact.
Root cause
verify_profile_packstreats the lockfile entry as optional. Existing code fails when a trust bundle exists without a matching lockfile entry, but when the trust bundle is absent too, there is no equivalent hard failure.That creates a fail-open state:
Recommended fix
For any registry pack selected for execution, require both:
~/.config/nono/packages/lockfile.json..nono-trust.bundlein the installed pack directory.If either is missing, fail closed with a reinstall instruction, for example:
This keeps verification monotonic: removing provenance metadata cannot downgrade a verification failure into a successful launch.