{"id":43583468,"url":"https://github.com/lukehinds/nono","last_synced_at":"2026-02-10T09:25:43.058Z","repository":{"id":335854427,"uuid":"1146550474","full_name":"lukehinds/nono","owner":"lukehinds","description":"A secure, kernel-enforced capability sandbox for AI agents","archived":false,"fork":false,"pushed_at":"2026-02-05T22:59:31.000Z","size":5032,"stargazers_count":261,"open_issues_count":24,"forks_count":15,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-06T09:43:56.646Z","etag":null,"topics":["ai","ai-agents","isolation","sandbox","security"],"latest_commit_sha":null,"homepage":"https://nono.sh","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lukehinds.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-31T09:25:45.000Z","updated_at":"2026-02-06T07:46:56.000Z","dependencies_parsed_at":"2026-02-06T02:01:11.551Z","dependency_job_id":null,"html_url":"https://github.com/lukehinds/nono","commit_stats":null,"previous_names":["lukehinds/nono"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/lukehinds/nono","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukehinds%2Fnono","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukehinds%2Fnono/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukehinds%2Fnono/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukehinds%2Fnono/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lukehinds","download_url":"https://codeload.github.com/lukehinds/nono/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lukehinds%2Fnono/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29185107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-07T00:44:15.062Z","status":"online","status_checked_at":"2026-02-07T02:00:07.217Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","ai-agents","isolation","sandbox","security"],"created_at":"2026-02-04T00:08:42.670Z","updated_at":"2026-02-07T03:00:27.687Z","avatar_url":"https://github.com/lukehinds.png","language":"Rust","funding_links":[],"categories":["Tools \u0026 Utilities","Rust"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# nono\n\n**A secure, kernel-enforced capability sandbox for AI agents**\n\n\u003ca href=\"https://discord.gg/pPcjYzGvbS\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Chat-Join%20Discord-7289da?style=for-the-badge\u0026logo=discord\u0026logoColor=white\" alt=\"Join Discord\"/\u003e\n\u003c/a\u003e\n\n\u003cp\u003e\n  \u003ca href=\"https://opensource.org/licenses/Apache-2.0\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/License-Apache%202.0-blue.svg\" alt=\"License\"/\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/lukehinds/nono/actions/workflows/ci.yml\"\u003e\n    \u003cimg src=\"https://github.com/lukehinds/nono/actions/workflows/ci.yml/badge.svg\" alt=\"CI Status\"/\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://discord.gg/pPcjYzGvbS\"\u003e\n    \u003cimg src=\"https://img.shields.io/discord/1384081906773131274?color=7289da\u0026label=Discord\u0026logo=discord\u0026logoColor=white\" alt=\"Discord\"/\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003c/div\u003e\n\n\u003e [!WARNING]\n\u003e This is an early alpha release that has not undergone comprehensive security auditing or peer review. Some of the core policy files are still undergoing changes. Although care and attention has been made and the author has a long background in security, there are no guarantees regarding maturity or stability. Not recommended for production environments. Please do raise bugs, if you see something wrong, you're probably right. \n\n**nono** is a secure, kernel-enforced capability shell for running untrusted AI agents and processes. Unlike policy-based sandboxes that intercept and filter operations, nono leverages OS security primitives (Landlock on Linux, Seatbelt on macOS) to create an environment where unauthorized operations are structurally impossible.\n\n## Quick Start\n\n### Homebrew (macOS)\n\n```bash\nbrew tap lukehinds/nono \nbrew install nono\n```\n\n### Prebuilt Binaries\nDownload the latest release from the [Releases](https://github.com/lukehinds/nono/releases) page.\n\n### Build from Source\n\n```bash\ngit clone https://github.com/lukehinds/nono.git\ncd nono\ncargo build --release\n```\n\n## Get Started!\n\n\n### Claude Code\n\nRun Claude Code in a sandboxed environment:\n\n```bash\nnono run --profile claude-code --allow . claude\n```\n\nThis command:\n- Grants read+write access to your current directory\n\n#### Creating an Alias\n\nChoose ONE of the following options:\n\n**Option 1: Simple (limited) alias** (if you only need current directory access)\n\n```bash\nalias sclaude='nono run --profile claude-code --allow . claude'\n```\n\nUsage: `sclaude`\n\n\u003e Note: This alias does NOT support additional flags like `--allow /tmp`. If you need to grant access to additional paths, use Option 2 instead.\n\n**Option 2: Flexible function** (if you need to grant additional paths)\n\n```bash\nsclaude() {\n    nono run --profile claude-code --allow . \"$@\" -- claude\n}\n```\n\nUsage:\n```bash\nsclaude                           # Current directory only\nsclaude --allow /tmp              # Current directory + /tmp\nsclaude --read ~/Documents        # Current directory + read-only ~/Documents\n```\n\n#### Verifying Your Setup\n\nAfter adding the alias/function, reload your shell configuration:\n\n```bash\nsource ~/.zshrc  # or ~/.bashrc\n```\n\nTest that it works:\n\n```bash\n# Check that nono grants the expected permissions\nsclaude --dry-run\n\n# Verify Claude version (ensure consistent version)\nwhich claude\n```\n\n## Features\n\n- **No escape hatch** - Once inside nono, there is no mechanism to bypass restrictions\n- **Agent agnostic** - Works with any AI agent (Claude, GPT, opencode, openclaw) or any process\n- **OS-level enforcement** - Kernel denies unauthorized operations\n- **Destructive command blocking** - Blocks dangerous commands like `rm`, `dd`, `chmod` by default\n- **Cross-platform** - Linux (Landlock) and macOS (Seatbelt)\n\n## Usage\n\n```bash\n# Allow read+write to current directory\nnono run --allow . -- command\n\n# Separate read and write permissions\nnono run --read ./src --write ./output -- cargo build\n\n# Multiple paths\nnono run --allow ./project-a --allow ./project-b -- command\n\n# Block network access\nnono run --allow . --net-block -- command\n\n# Dry run (show what would be sandboxed)\nnono run --allow . --dry-run -- command\n\n# Check why a path would be blocked\nnono why ~/.ssh/id_rsa\n```\n\n## Command Blocking\n\nnono blocks dangerous commands by default to prevent AI agents from accidentally (or maliciously) causing harm. This provides defense-in-depth beyond filesystem restrictions.\n\n### Blocked Commands\n\nThe following categories of commands are blocked by default:\n\n| Category | Commands |\n|----------|----------|\n| File destruction | `rm`, `rmdir`, `shred`, `srm` |\n| Disk operations | `dd`, `mkfs`, `fdisk`, `parted`, `wipefs` |\n| Permission changes | `chmod`, `chown`, `chgrp`, `chattr` |\n| System modification | `shutdown`, `reboot`, `halt`, `systemctl` |\n| Package managers | `apt`, `brew`, `pip`, `yum`, `pacman` |\n| File operations | `mv`, `cp`, `truncate` |\n| Privilege escalation | `sudo`, `su`, `doas`, `pkexec` |\n| Network exfiltration | `scp`, `rsync`, `sftp`, `ftp` |\n\n### Overriding Command Blocks\n\n```bash\n# Allow a specific blocked command (use with caution)\nnono run --allow . --allow-command rm -- rm ./temp-file.txt\n\n# Block an additional command\nnono run --allow . --block-command my-dangerous-tool -- my-script.sh\n```\n\n### Kernel-Level Protection\n\nEven if a command is allowed via `--allow-command`, nono applies kernel-level protection that blocks:\n\n- **File deletion** - `unlink`/`rmdir` syscalls are blocked\n- **File truncation** - Cannot zero out files via truncation\n\nThis means even if `rm` is allowed, the actual deletion is blocked by the kernel:\n\n```bash\n$ nono run --allow /tmp/test --allow-command rm -- rm /tmp/test/file.txt\nrm: /tmp/test/file.txt: Operation not permitted\n```\n\n## How It Works\n\n```\n┌─────────────────────────────────────────────────┐\n│  Terminal                                       │\n│                                                 │\n│  $ nono run --allow ./project -- agent          │\n│                                                 │\n│  ┌───────────────────────────────────────────┐  │\n│  │  nono (applies sandbox, then exec)        │  │\n│  │                                           │  │\n│  │  ┌─────────────────────────────────────┐  │  │\n│  │  │  Agent (sandboxed)            │  │  │\n│  │  │  - Can read/write ./project         │  │  │\n│  │  │  - Cannot access ~/.ssh, ~/.aws...  │  │  │\n│  │  │  - Network: allowed (or blocked)    │  │  │\n│  │  └─────────────────────────────────────┘  │  │\n│  └───────────────────────────────────────────┘  │\n└─────────────────────────────────────────────────┘\n```\n\n## Platform Support\n\n| Platform | Mechanism | Kernel | Status |\n|----------|-----------|--------|--------|\n| macOS | Seatbelt | 10.5+ | Filesystem + Network |\n| Linux | Landlock | 5.13+ | Filesystem |\n| Linux | Landlock | 6.7+ | Filesystem + Network (TCP) |\n| Windows | - | - | Not yet supported |\n\n## Roadmap\n\n### Planned Features\n\n| Feature | Description |\n|---------|-------------|\n| **Advisory API** | Allow agents to preemptively check permissions before attempting operations, avoiding trial-and-error failures |\n| **Signed Policy Files** | Policy files signed and attestable via [Sigstore Rekor](https://rekor.sigstore.dev/), with embedded DSSE signed payloads. Users can craft and sign their own default policies |\n| **Interactive Permission Mode** | `nono run --interactive` spawns a supervisor that prompts when blocked operations are attempted |\n| **Network Filtering** | Fine-grained network controls (e.g. allowlist/denylist hosts, ports, protocols) |\n| **Time-Limited Permissions** | `nono run --allow /tmp:5m -- agent` grants temporary access that expires automatically |\n| **Learning Mode** | `nono learn -- command` traces syscalls and generates a minimal capability profile |\n| **Ephemeral Mode** | `nono run --ephemeral` creates a copy-on-write overlay filesystem where writes are isolated, enabling full undo |\n| **Audit Logging** | `nono run --audit-log ./session.jsonl -- command` logs all sandbox-relevant operations for post-hoc analysis and replay |\n| **Windows Support** | Implement a Windows version using Job Objects and Windows Sandbox |\n\n\n## Security Model\n\nnono follows a capability-based security model with defense-in-depth:\n\n1. **Command validation** - Dangerous commands (rm, dd, chmod, etc.) are blocked before execution\n2. **Sandbox applied** - OS-level restrictions are applied (irreversible)\n3. **Kernel enforcement** - Even allowed paths cannot have files deleted or truncated\n4. **Command executed** - The command runs with only granted capabilities\n5. **All children inherit** - Subprocesses also run under restrictions\n\n### Defense Layers\n\n| Layer | Protection | Bypass |\n|-------|------------|--------|\n| Command blocklist | Blocks known-dangerous binaries | `--allow-command` |\n| Kernel (delete) | Blocks unlink/rmdir syscalls | None |\n| Kernel (truncate) | Blocks file truncation | None |\n| Filesystem sandbox | Restricts path access | Explicit `--allow` |\n| Network sandbox | Blocks network access | Remove `--net-block` |\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukehinds%2Fnono","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flukehinds%2Fnono","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flukehinds%2Fnono/lists"}