nono CLI

Sandbox any process with one command

The nono CLI wraps any process — AI agents, scripts, build tools — with kernel-enforced filesystem isolation, network filtering, credential injection, and atomic rollback. No code changes required.

Install

Homebrew
brew install nono
Cargo
cargo install nono

Filesystem Isolation

Default-deny filesystem access enforced by Landlock (Linux and Windows) and Seatbelt (macOS). Only explicitly allowed paths are accessible. Sensitive directories like ~/.ssh and ~/.aws are blocked by default.

Network Filtering

Allowlist outbound connections by domain. Built-in profiles for common LLM providers. All other network access is blocked — no data exfiltration, no SSRF, no C2 callbacks.

Credential Injection

Real API keys stay in your system keychain. The sandboxed process receives phantom tokens that only work with a localhost proxy. Even if the process is compromised, there are no real credentials to steal.

Atomic Rollback

Every session is snapshotted before execution. Review what changed, then accept or roll back to the pre-session state. No partial writes, no corrupted state.

basic-usage.sh
# Sandbox a Python agent with default-deny filesystem
nono run --allow-cwd -- python my_agent.py


# Sandbox Claude Code with the built-in profile
nono run --profile claude-code --allow-cwd -- claude


# Restrict network to specific hosts
nono run --allow-cwd --network-profile minimal -- python my_agent.py


# Inject credentials from keychain (real keys never enter the sandbox)
nono run --allow-cwd --proxy-credential openai -- python my_agent.py
my-agent-profile.json
{
  "meta": { "name": "my-agent", "version": "1.0.0" },
  "workdir": { "access": "readwrite" },
  "security": { "groups": ["python_runtime"] },
  "filesystem": {
    "read_file": ["/etc/ssl/cert.pem"],
    "write": ["/tmp"]
  },
  "policy": {
    "add_deny_access": [
      "$HOME/.ssh", "$HOME/.aws", "$HOME/.gnupg"
    ]
  },
  "network": {
    "allow_hosts": ["api.openai.com", "api.anthropic.com"],
    "proxy_credentials": ["openai", "anthropic"]
  }
}

Profiles & Learning

Profiles are JSON files that declare exactly what a process is allowed to do. Write them by hand or use nono learn to trace a process and auto-generate a profile from observed behaviour. Built-in profiles are available for Claude Code, Codex, and other AI tools.

advanced.sh
# Trace a process to auto-generate a profile
nono learn --timeout 60 --json -- python my_agent.py


# Check why a specific path would be blocked
nono why --path ~/.ssh/id_rsa --op read


# Verify an instruction file's signature
nono trust verify GEMINI.md --policy ./trust-policy.json

Key Features

Kernel enforcement

Restrictions applied via Landlock/Seatbelt cannot be escalated from inside the process.

Trust verification

Cryptographically sign instruction files. Tampered files are rejected before the process starts.

Audit trail

Every action is logged in a tamper-evident, cryptographically chained audit log.

Built-in profiles

Pre-configured profiles for Claude Code, Codex, OpenCode, and other AI tools.

Related Infrastructure

OS Sandbox

How Landlock and Seatbelt enforcement works under the hood

Python Sandbox

Sandboxing Python AI agents with nono

Node.js Sandbox

Sandboxing Node.js AI agents with nono

Undo & Rollback

Atomic filesystem snapshots and session rollback

Get started with nono

Runtime safety infrastructure that works on macOS, Linux, Windows, and in CI.

Read the DocsView on GitHub