nono: The Kernel Sandbox Top AI Engineers Are Switching To
nono: The Kernel Sandbox Top AI Engineers Are Switching To
Your AI agent just exfiltrated your AWS keys. It happened silently—no alert, no log entry you could trace. One moment, Claude Code was helping you refactor; the next, your credentials were phoning home through a dependency you didn't audit. Here's the gut punch: this isn't a bug. It's the default. Most developers run AI agents with the same permissions as their user account, trusting that a "helpful assistant" won't turn malicious. But agents don't need to be evil to be dangerous—they just need to be exploited.
The sandboxing solutions that exist? They're relics. Docker containers with 20-second startup times. VMs that chew through your laptop battery. Browser-based isolation that breaks your entire workflow. None were built for the reality of modern AI development: agents that spawn agents, tools that call tools, credentials flowing through a dozen touchpoints.
Enter nono—the kernel-isolated sandbox designed from first principles for AI agents. Created by the same engineer who built Sigstore (now securing PyPI, npm, brew, and Maven Central), nono delivers capability-based security with zero setup and zero latency. No containers. No VMs. Pure kernel enforcement that inherits down every child process your agent spawns. This isn't a wrapper around existing tools. It's a fundamental rethinking of how AI agents should exist in your operating system.
If you're running Claude Code, Codex, OpenCode, or any agent framework without kernel-level isolation, you're one malicious dependency away from catastrophe. nono changes the game entirely—and by the end of this article, you'll understand why the engineers who built the software supply chain's security infrastructure are betting on it.
What is nono? Understanding the Kernel-Isolated Revolution
nono is a capability-based sandbox runtime that brokers access directly within an AI agent's operating context. Unlike traditional sandboxing approaches that rely on containers, virtual machines, or browser isolation, nono leverages kernel-level enforcement mechanisms—Landlock on Linux and Seatbelt on macOS—to create irreversible, inheritable security boundaries.
The project was created by always-further, the same organization behind Sigstore, the cryptographic signing standard that now protects the majority of open-source software distribution. This lineage matters: nono inherits a security-first philosophy that treats agent isolation with the same rigor as software supply chain attestation.
Why "Capability-Based" Changes Everything
Traditional permission models operate on deny-lists: everything is allowed unless explicitly blocked. nono inverts this with capability-based security—a model derived from operating systems research where processes possess only the specific rights they need, and nothing more. When you create a CapabilitySet in nono, you're constructing a positive authorization: read /data/models, write /tmp/workspace, access api.openai.com—and literally nothing else.
This approach eliminates entire classes of attacks. No confused deputy problems. No privilege escalation through unexpected paths. If your agent is compromised, the blast radius is mechanically constrained by the kernel itself, not by a userspace policy that can be bypassed.
The "Zero Latency" Claim—And Why It Holds
nono's kernel integration means sandbox application happens through system calls, not through process virtualization. There's no container runtime to initialize, no hypervisor to trap-and-emulate, no network proxy to establish. The Sandbox::apply() call in the Rust core is a one-way, irreversible operation that the kernel enforces for the calling process and all descendants. The overhead? Microseconds, not seconds.
This matters profoundly for AI workflows where agents spawn tools, tools spawn subprocesses, and latency compounds at every layer. A Docker-based solution might add 2-3 seconds per invocation; nono adds negligible overhead.
Current Trajectory
With the nono registry now in alpha, the project is evolving from a CLI tool into a distributable policy ecosystem. The registry allows organizations to host, version, and securely distribute sandbox profiles—transforming security from a local configuration problem into a collaborative, auditable practice.
Key Features: The Technical Architecture That Makes nono Different
| Feature | Technical Implementation | Why It Matters |
|---|---|---|
| Kernel Sandbox | Landlock LSM (Linux) + Seatbelt (macOS) | Irreversible, inherited by child processes; no userspace bypass possible |
| Credential Injection | Proxy mode with external keystore integration | API keys never enter the sandbox's address space |
| Attestation | Sigstore Cosign signatures on instruction files | Cryptographic verification that your agent's instructions haven't been tampered with |
| Network Filtering | Local proxy with allowlist + hard-denied cloud metadata | Prevents SSRF to 169.254.169.254 and similar metadata endpoints |
| Snapshots | Content-addressable storage with SHA-256 + Merkle trees | Instant rollback with cryptographic integrity guarantees |
| Policy Profiles | Declarative TOML/YAML configurations | Reusable, versionable security postures for different agents |
| Audit Logs | Structured events with optional append-only hashing | Forensic evidence that resists tampering |
| Multiplexing | Per-agent sandbox namespaces | Parallel agent execution without cross-contamination |
Deep Dive: The Proxy Mode Architecture
nono's credential injection is architecturally elegant. Rather than passing API keys into the sandbox—where a compromised agent could read them from environment variables or memory—the proxy mode terminates authentication outside the sandbox entirely. The agent makes requests to a local proxy; the proxy attaches credentials from your keystore, 1Password vault, or Apple Passwords. The agent never possesses the secret; it merely transits through a trusted, isolated channel.
This is supply chain security applied to runtime behavior: the same cryptographic rigor that Sigstore brings to software artifacts, nono brings to agent execution.
Snapshot Integrity: Beyond Simple Backups
The snapshot system isn't cp -r with extra steps. It uses content-addressable storage where each filesystem state is identified by the SHA-256 of its contents, organized in a Merkle tree. This means:
- Deduplication: Identical files across snapshots store once
- Integrity verification: Any tampering with snapshot data is immediately detectable
- Efficient diffing: Only changed content needs new storage
For AI agents that may make destructive changes during exploration, this provides instant, trustworthy rollback—critical for autonomous agent workflows.
Real-World Use Cases: Where nono Transforms Agent Security
Use Case 1: Multi-Tenant CI/CD Pipelines
You're running Claude Code in GitHub Actions to review PRs, generate tests, and suggest refactors. Without isolation, a malicious PR could craft a prompt injection that exfiltrates GITHUB_TOKEN or modifies your repository. With nono:
- The agent gets read-only access to the checked-out code
- No network access except to your approved API endpoints
- Credential injection means the GitHub token never enters the sandbox
- Attestation verifies the
SKILLS.mdinstruction file hasn't been tampered with
Result: Autonomous code review without autonomous risk.
Use Case 2: Local Development with Untrusted Dependencies
You're experimenting with a new npm package that your agent suggested. Before nono, you'd either trust it blindly or containerize your entire workflow. With nono:
- Agent runs with no filesystem write access outside
/tmp/sandbox - Network allowlist permits only
registry.npmjs.organd your APIs - Snapshots capture pre-install state for instant recovery
- If the package is malicious, it cannot persist or phone home
Use Case 3: Parallel Agent Orchestration
You're running multiple research agents simultaneously—one analyzing your codebase, one querying documentation, one generating tests. Traditional approaches risk cross-contamination: Agent A's temporary files leak to Agent B; Agent B's network access allows it to observe Agent A's API calls.
nono's multiplexing creates fully isolated namespaces per agent. Each has independent:
- Capability sets
- Network proxies
- Snapshot histories
- Audit logs
Attach and detach dynamically. Scale without security degradation.
Use Case 4: Enterprise Credential Governance
Your organization uses 1Password for secrets, but AI agents need API access. Traditional approaches copy secrets into environment variables—visible to any process, any dependency, any supply chain compromise.
nono's proxy mode brokers access without exposure:
Agent → nono proxy → 1Password Connect → API endpoint
The agent sees only the proxy. The proxy holds no persistent credentials—they're fetched per-request from your vault. Zero secrets in memory. Zero secrets on disk.
Step-by-Step Installation & Setup Guide
Prerequisites
- macOS 12+ or Linux with kernel 5.13+ (Landlock LSM support)
- WSL2 for Windows users
brew(macOS/Linux) or cargo for building from source
Installation
The fastest path to running nono:
# macOS and Linux
brew install nono
For alternative installation methods—including building from source, Docker images, and CI-specific configurations—consult the complete installation guide.
Verify Installation
nono --version
# Expected: version information and platform details
Profile Setup for Your Agent
nono includes pre-built profiles for popular agents. Initialize for your tool:
# For Claude Code
nono profile use claude-code
# For OpenAI Codex
nono profile use codex
# For OpenCode
nono profile use opencode
# List available profiles
nono profile list
Profiles are declarative policy bundles that encode:
- Filesystem access patterns
- Network endpoint allowlists
- Credential injection rules
- Audit logging configuration
Custom Profile Creation
Create ~/.config/nono/profiles/my-agent.toml:
[filesystem]
read = ["/home/user/projects", "/usr/share/doc"]
write = ["/tmp/agent-workspace"]
execute = ["/usr/bin/git", "/usr/bin/python3"]
[network]
allow_hosts = ["api.openai.com", "api.anthropic.com", "github.com"]
deny_cloud_metadata = true
[credentials]
proxy_mode = true
keystore = "1password"
[audit]
level = "supervised"
integrity_hash = true
Apply with:
nono run --profile my-agent -- claude
Registry Integration (Alpha)
The nono registry enables distributed policy management:
# Authenticate with your organization's registry
nono auth login registry.nono.sh
# Pull verified profiles
nono pull always-further/secure-coding
# Use in your workflow
nono run --profile always-further/secure-coding -- codex
REAL Code Examples from the nono Repository
Example 1: Core Rust API—Capability Set Construction
This is the foundational pattern from nono's Rust core, demonstrating how to programmatically construct and apply a sandbox:
use nono::{CapabilitySet, Sandbox};
// Initialize an empty capability set—deny everything by default
let mut caps = CapabilitySet::new();
// Explicitly grant read access to model weights directory
// This uses Landlock/Seatbelt to create a kernel-level rule
caps.allow_read("/data/models")?;
// Grant write access to a specific workspace—agent cannot escape
caps.allow_write("/tmp/workspace")?;
// Apply capabilities to the current process
// CRITICAL: This call is IRREVERSIBLE. The kernel enforces these
// restrictions for this process and ALL child processes forever.
Sandbox::apply(&caps)?; // Irreversible -- kernel-enforced from here on
What's happening here? The CapabilitySet starts from zero privileges—a core security principle called "deny by default." Each allow_* call adds a specific, bounded exception. The ? operator propagates errors if a path doesn't exist or permissions are insufficient. The Sandbox::apply() call is the point of no return: after this executes, the Linux kernel's Landlock LSM or macOS's Seatbelt actively prevents any access outside the granted capabilities.
This pattern is policy-free by design—the core library applies only what you explicitly request, with no hidden defaults or "convenience" permissions that create attack surface.
Example 2: Pre-Built Profile Usage (CLI)
From the Quick Start documentation, here's how developers actually run nono with existing agent integrations:
# nono provides profiles for major AI coding assistants
# These encode security best practices for each tool's access patterns
# Claude Code: filesystem access to project dirs, network to Anthropic APIs
nono profile use claude-code
# OpenAI Codex: similar pattern, OpenAI-specific endpoints
nono profile use codex
# OpenCode: community-driven profile for the OpenCode framework
nono profile use opencode
# OpenClaw: emerging agent framework with specific requirements
nono profile use openclaw
# Swival: another supported agent runtime
nono profile use swival
# For custom setups, define your own profile
# Documentation: https://docs.nono.sh/cli/features/profiles-groups
Practical insight: These profiles aren't just configuration files—they're curated security postures developed through analysis of each agent's actual behavior. Claude Code, for instance, needs Git access, project filesystem traversal, and Anthropic API connectivity. The profile grants precisely these capabilities and nothing more, eliminating the guesswork of manual policy construction.
Example 3: Registry-Based Policy Distribution
The alpha registry feature enables organizational policy as code:
# The nono registry is now in alpha at registry.nono.sh
# It hosts skills, hooks, policies, and verified configurations
# Pull a verified sandbox policy from an organization
nono pull always-further/secure-coding
# This downloads:
# - The policy profile (filesystem, network rules)
# - Associated hooks (pre-run validation)
# - Skills definitions (agent instruction templates)
# - Cryptographic signatures for verification
# After pulling, use directly in your workflow
nono run --profile always-further/secure-coding -- claude
# The registry enables:
# - Versioned policy evolution
# - Organizational standardization
# - Secure distribution (Sigstore-signed packages)
# - Dependency-like management of security posture
Why this matters: Security policies have historically been tribal knowledge—documented in wikis, enforced through code review, degrading over time. The registry treats policies as versioned, signed, distributable artifacts—the same maturity model that transformed software dependencies with npm, cargo, and similar tools.
Advanced Usage & Best Practices
Snapshot Strategy for Destructive Operations
Before running any agent with write capabilities:
# Create a named snapshot
nono snapshot create pre-refactor --tag baseline
# Run your agent with potential destructive changes
nono run --snapshot pre-refactor -- claude "refactor the auth module"
# If something goes wrong, instant rollback
nono snapshot restore pre-refactor
The Merkle tree structure means snapshots are cryptographically verifiable—you can prove a restored state matches the original.
Audit Log Hardening
For compliance-sensitive environments:
[audit]
level = "supervised" # Log all agent actions with human oversight
integrity_hash = true # Append-only SHA-256 chain
evidence_fs = true # Filesystem-level evidence capture
The append-only integrity hashing creates a tamper-evident log: each entry includes the hash of the previous, making undetected modification computationally infeasible.
Network Microsegmentation
Instead of broad host allowlists, specify exact endpoints:
[network]
allow_endpoints = [
"api.openai.com:443",
"api.anthropic.com:443/v1/messages",
"raw.githubusercontent.com:443/always-further/*"
]
This prevents DNS rebinding attacks where a malicious host redirects to internal services.
Multiplexing for Agent Farms
# Start multiple isolated agents
nono run --name researcher-1 --profile research -- claude &
nono run --name coder-2 --profile coding -- codex &
nono run --name reviewer-3 --profile review -- opencode &
# Attach to specific agent for inspection
nono attach researcher-1
# Detach without stopping
Ctrl+B, D # or: nono detach researcher-1
Comparison with Alternatives
| Capability | nono | Docker | Firejail | gVisor | Browser Isolation |
|---|---|---|---|---|---|
| Startup Latency | <1ms | 2-30s | 50-200ms | 100-500ms | N/A (different model) |
| Kernel Enforcement | ✅ Native | ❌ Namespace-based | ✅ seccomp | ❌ ptrace emulation | ❌ Browser sandbox |
| Credential Isolation | ✅ Proxy mode | ❌ Manual | ❌ Manual | ❌ Manual | ❌ Limited |
| Agent-Specific Profiles | ✅ Built-in | ❌ DIY | ❌ DIY | ❌ DIY | ❌ No |
| Attestation | ✅ Sigstore | ❌ None | ❌ None | ❌ None | ❌ None |
| Snapshot/Rollback | ✅ Merkle trees | ❌ Volume hacks | ❌ None | ❌ Checkpoint/restore | ❌ None |
| Cross-Platform | ✅ macOS/Linux/WSL2 | ✅ Linux primary | ❌ Linux only | ❌ Linux only | ✅ Browser-dependent |
| Child Process Inheritance | ✅ Automatic | ❌ Manual config | ⚠️ Partial | ✅ Automatic | ❌ N/A |
The Verdict: Docker and Firejail are general-purpose sandboxing tools retrofitted for AI agents. gVisor trades security for performance overhead. Browser isolation breaks native toolchains. nono is the only solution designed for agent workflows—with the security pedigree of Sigstore's creator and the performance characteristics of kernel-native enforcement.
FAQ: Common Developer Concerns
Q: Does nono replace Docker for AI agents? A: For agent isolation specifically, yes—nono provides stronger guarantees with negligible overhead. For full application containerization, Docker remains appropriate. Many teams use both: Docker for service deployment, nono for agent execution within those containers.
Q: How does nono handle prompt injection attacks? A: Prompt injection is an application-layer concern; nono operates at the system layer. However, by constraining what injected prompts can do—no filesystem escape, no credential exfiltration, no network pivoting—nono dramatically limits blast radius. Combine with input validation for defense in depth.
Q: Can I use nono with my custom agent framework? A: Absolutely. The Rust core is policy-free and embeddable. The Python, TypeScript, and Go bindings expose the same capabilities. Define your own profile or use the programmatic API directly.
Q: What's the performance overhead of kernel enforcement? A: Microseconds per syscall for Landlock/Seatbelt checks. In practice, agents are network-bound (API calls) or compute-bound (model inference). The sandbox overhead is lost in the noise—unlike container startup times that dominate short-lived operations.
Q: How do snapshots differ from Git?
A: Git tracks intentional changes to source code; nono snapshots capture complete filesystem state including generated artifacts, temporary files, and tool outputs. Snapshots are instant (no .gitignore management) and cryptographically integrity-protected (Merkle trees vs. SHA-1).
Q: Is the registry required, or can I use nono offline? A: Fully functional offline. The registry is an optional enhancement for organizational policy distribution. All core capabilities work with local profiles.
Q: What's the path to 1.0? A: APIs are stabilizing with minimal breaking changes expected. The registry is maturing through alpha. Native Windows support is in planning. Follow announcements for updates.
Conclusion: The Sandbox AI Agents Actually Deserve
The AI agent revolution is outpacing our security infrastructure. Every day, developers grant broad permissions to tools that execute untrusted code, process sensitive credentials, and operate with minimal oversight—because the alternatives were too slow, too rigid, or too disconnected from how agents actually work.
nono fixes this. By embedding security at the kernel level, by designing for agent-specific workflows from day one, by bringing Sigstore-grade attestation to runtime behavior—it represents the sandbox that AI-native development has been waiting for.
The zero-latency enforcement means no workflow friction. The capability-based model means provable security boundaries. The registry means scalable policy governance. And the multiplexing means parallel agent operations without cross-contamination.
If you're running AI agents in any capacity—local development, CI pipelines, production orchestration—you owe it to your security posture to evaluate nono. The installation is one brew install away. The profiles for major agents are pre-built. The migration path from unprotected execution is immediate and reversible.
Stop hoping your agents won't be compromised. Start guaranteeing they can't be.
👉 Get started now: github.com/always-further/nono
Join the Discord community for support, contribute to the registry ecosystem, and follow the project's journey toward 1.0. The future of agent security is capability-based—and it's already here.
Comments (0)
No comments yet. Be the first to share your thoughts!
