nono agents run free but not amok Kernel-enforced process isolation for AI agents. Get Started View on GitHub From the creator of Sigstore The industry standard for software signing, used by PyPi, Homebrew, Maven and Google, GitHub, NVIDIA Terminal $ Sandbox active. Restrictions are now in effect Accessing credentials for deployment... cat: ~/.aws/credentials: Operation not permitted cat: ~/.ssh/id_rsa: Operation not permitted “ OS-Level Isolation for AI Agents. Really awesome work and resource here ” Chris Hughes VP, Security Strategy @ Zenity “ Neat project, thanks for sharing! I like the OS-specific security primitives, useful built-in profiles, and being able to customize what's allowed/blocked. ” Clint Gibler Head of Security Research at Semgrep “ nono hits the real problem: agents shouldn’t inherit full user trust by default. Treating them like untrusted processes, with deny-by-default filesystem, network, and secrets access, feels like the right baseline going forward. ” snapsec Centralising Application Security “ Beautiful work! It is encouraging to see kernel security being taken seriously, especially during this current episode of OpenClaw and Moltbot. ” Cuong Nguyen Cloud Architect and System Engineer Security without compromise Unlike policy-based sandboxes that intercept and filter operations, nono leverages OS security primitives to create an environment where unauthorized operations are structurally impossible. Destruction-proof Destructive commands are blocked. No more accidental rm -rf ~/, no more reboot trolling. No more rogue agents wreaking havoc on your system. Native SDKs Coming soon A Rust library at its core, with native SDKs for Python, TypeScript, and any language with C FFI. Embed sandboxing directly in your agent code. OS-Level Enforcement Kernel denies unauthorized operations directly. No interception, no filtering - operations are structurally impossible. Keys and credentials protected Keys and secrets stored within hardware-backed keychains remain protected and zeroised on termination. How it works Grant explicit capabilities. The OS enforces them at the kernel level. Restrictions are irreversible for the sandboxed process. 1 Define capabilities $ nono --profile bespoke --allow ./project agent Specify which paths and network hosts the process can access. Everything else is denied by default. 2 Kernel locks down Sandbox active. Restrictions are now in effect. OS security primitives (Landlock on Linux, Seatbelt on macOS) enforce restrictions at the kernel level. 3 Unauthorized access blocked cat: .ssh/id_rsa: Operation not permitted The kernel denies operations outside granted capabilities. No interception, no filtering — structurally impossible. Embed in your agent nono is a library, not just a CLI. Drop kernel-enforced sandboxing into your agent code in three lines. Coming soon Python import nono_py as nono caps = nono . CapabilitySet ( ) caps . allow_path ( "/project" , nono . AccessMode . READ_WRITE ) caps . block_network ( ) nono . apply ( caps ) TypeScript import { CapabilitySet , AccessMode , apply } from 'nono-ts' ; const caps = new CapabilitySet ( ) ; caps . allowPath ( '/project' , AccessMode . ReadWrite ) ; caps . blockNetwork ( ) ; apply ( caps ) ; Rust use nono :: { CapabilitySet , AccessMode , Sandbox } ; let caps = CapabilitySet :: new ( ) . allow_path ( "/project" , AccessMode :: ReadWrite ) ? . block_network ( ) ; Sandbox :: apply ( & caps ) ? ; Get started Get up and running in seconds. brew tap always-further/nono brew install nono macOS via Seatbelt Linux via Landlock Building from source requires Rust toolchain. See the docs for more installation options.