Skip to main content
The nono profile command provides scaffolding and tooling for creating custom profiles. Instead of reverse-engineering the JSON structure from built-in profiles, you can generate skeleton files, get editor autocomplete via JSON Schema, and access an LLM-oriented authoring guide.
For an overview of what profiles are and how they compose with groups, see Profiles & Groups.

Generating a Profile

Use nono profile init to scaffold a new profile: 
# Minimal skeleton
nono profile init my-agent

# With inheritance and groups
nono profile init my-agent --extends default --groups deny_credentials

# With a description
nono profile init my-agent --extends default --description "Profile for my agent"

# Full skeleton with all sections
nono profile init my-agent --full

# Output to a specific path instead of ~/.config/nono/profiles/
nono profile init my-agent --output ./my-agent.json
By default, the profile is written to ~/.config/nono/profiles/<name>.json. Use --force to overwrite an existing file.

Minimal Skeleton

A minimal skeleton includes the core sections most profiles need: 
{
  "extends": "default",
  "meta": {
    "name": "my-agent",
    "description": "Profile for my agent"
  },
  "security": {
    "groups": [
      "deny_credentials"
    ]
  },
  "workdir": {
    "access": "readwrite"
  },
  "filesystem": {
    "allow": [],
    "read": []
  }
}

Full Skeleton

With --full, additional sections are included as empty stubs for all additive fields: 
{
  "meta": {
    "name": "my-agent"
  },
  "security": {
    "groups": []
  },
  "workdir": {
    "access": "readwrite"
  },
  "filesystem": {
    "allow": [],
    "read": [],
    "write": [],
    "allow_file": [],
    "read_file": [],
    "write_file": []
  },
  "policy": {
    "exclude_groups": [],
    "add_allow_read": [],
    "add_allow_write": [],
    "add_allow_readwrite": [],
    "add_deny_access": [],
    "override_deny": []
  },
  "network": {
    "block": false,
    "proxy_allow": [],
    "proxy_credentials": [],
    "port_allow": [],
    "custom_credentials": {}
  },
  "env_credentials": {},
  "hooks": {},
  "rollback": {
    "exclude_patterns": [],
    "exclude_globs": []
  }
}
Fields that would override inherited behavior are intentionally omitted from the skeleton: network_profile (emitting null would clear an inherited proxy profile), open_urls (would replace inherited OAuth2 origins), and allow_launch_services (would override inherited browser-opening permissions). Add these explicitly only when you intend to change the inherited behavior.

Validation

The init command validates inputs before writing:
  • Profile name must be alphanumeric with hyphens (no leading/trailing hyphens)
  • --extends target must exist as a built-in or user profile
  • --groups are checked against the embedded policy groups
After creating a profile, validate it: 
nono policy validate ~/.config/nono/profiles/my-agent.json

JSON Schema

nono ships with a JSON Schema for profile files. Use it for editor autocomplete and validation.

Exporting the Schema

# Print to stdout
nono profile schema

# Write to a file
nono profile schema --output nono-profile.schema.json

Editor Integration

Export the schema locally, then add a $schema field to your profile for automatic validation in editors that support JSON Schema (VS Code, IntelliJ, Neovim with LSP, etc.): 
{
  "$schema": "./nono-profile.schema.json",
  "meta": {
    "name": "my-agent"
  }
}
In VS Code, you can also configure schema association in .vscode/settings.json: 
{
  "json.schemas": [
    {
      "fileMatch": ["**/profiles/*.json"],
      "url": "./nono-profile.schema.json"
    }
  ]
}

Authoring Guide

nono includes an embedded authoring guide designed for LLM agents assisting with profile creation: 
nono profile guide
This outputs a comprehensive reference covering every profile section, field descriptions, common patterns, variable expansion, and validation workflow. It is useful when asking an LLM to help you write a profile — pipe or paste the guide into your conversation for context.

Workflow

A typical profile authoring workflow:
  1. Scaffold the profile: 
    nono profile init my-agent --extends default --groups deny_credentials --full
  2. Edit the generated file in your editor (with schema autocomplete): 
    $EDITOR ~/.config/nono/profiles/my-agent.json
  3. Validate the profile: 
    nono policy validate ~/.config/nono/profiles/my-agent.json
  4. Inspect the resolved profile (after inheritance and group expansion): 
    nono policy show my-agent
  5. Compare against a baseline: 
    nono policy diff default my-agent
  6. Test the profile: 
    nono run --profile my-agent --dry-run -- my-command
  7. Use the profile: 
    nono run --profile my-agent -- my-command

Available Groups

Use nono policy groups to list all available security groups. To see details for a specific group: 
nono policy groups deny_credentials
Groups are referenced by name in the security.groups field. See Profiles & Groups for the full group taxonomy and built-in group list.

Common Patterns

Agent with API Credentials

{
  "extends": "default",
  "meta": {
    "name": "api-agent",
    "description": "Agent with API access via credential injection"
  },
  "workdir": { "access": "readwrite" },
  "env_credentials": {
    "openai_api_key": "OPENAI_API_KEY"
  },
  "network": {
    "network_profile": "standard"
  }
}

CI Build Environment

{
  "meta": {
    "name": "ci-build",
    "description": "Locked-down CI environment"
  },
  "security": {
    "groups": ["deny_credentials"]
  },
  "workdir": { "access": "readwrite" },
  "network": { "block": true }
}

Override a Deny Rule

{
  "extends": "default",
  "meta": {
    "name": "docker-agent",
    "description": "Agent that needs Docker access"
  },
  "workdir": { "access": "readwrite" },
  "filesystem": {
    "allow": ["$HOME/.docker"]
  },
  "policy": {
    "override_deny": ["$HOME/.docker"]
  }
}
override_deny only removes the deny rule. You must also grant access via filesystem or policy.add_allow_* for the path to be accessible.

Exclude Inherited Groups

{
  "extends": "default",
  "meta": {
    "name": "permissive-agent",
    "description": "Agent without dangerous command blocking"
  },
  "workdir": { "access": "readwrite" },
  "policy": {
    "exclude_groups": [
      "dangerous_commands",
      "dangerous_commands_macos",
      "dangerous_commands_linux"
    ]
  }
}

CLI Reference

CommandDescription
nono profile init <name>Generate a skeleton profile
nono profile init <name> --extends <base>Inherit from a base profile
nono profile init <name> --groups <g1>,<g2>Pre-populate security groups
nono profile init <name> --fullInclude all optional sections
nono profile init <name> --output <path>Write to a specific file
nono profile init <name> --forceOverwrite existing file
nono profile init <name> --description <text>Set the profile description
nono profile schemaOutput JSON Schema to stdout
nono profile schema --output <path>Write JSON Schema to a file
nono profile guidePrint the authoring guide