Your First Sandbox
The
-- separator is used for visual clarity, to help the reader distinguish between nono flags and the command being run. It’s not strictly required if there are no flag conflicts, but we recommend using it consistently to avoid ambiguity.Pre-Built Profiles
To get you going quickly, we provide pre-built profiles for popular AI agents and tools. These profiles bundle the right permissions for each tool, so you can get up and running with a single command. Just search for your favorite coding agent from the registryNetwork Access
Network is allowed by default. Use--block-net to disable outbound connections:
--network-profile for host-level filtering or --open-port for localhost IPC between sandboxes:
Interactive Shell (nono shell)
Start a shell with the same sandbox permissions as nono run:
Ctrl-D or exit.
Checking Policy Access (nono why)
The why command checks if a filesystem path, network operation, kernel scope, or Tool Sandbox command invocation would be allowed or denied. It’s designed for both human debugging and programmatic use by AI agents.
| Flag | Description |
|---|---|
--command | Tool-sandbox command name to check |
--caller | Command-policy caller edge (default: session) |
--path | Filesystem path to check |
--op | Operation: read, write, or readwrite (default: read) |
--host | Network host to check (instead of --path) |
--port | Network port (default: 443) |
--json | Output JSON for programmatic use |
--self | Query current sandbox state (inside sandbox) |
nono why --self to get a structured JSON response explaining why and how to fix it.
What Happens at Runtime
- Parse — nono parses your capability flags
- Canonicalize — All paths are resolved to absolute paths (prevents symlink escapes)
- Apply Sandbox — Kernel sandbox is initialized (irreversible)
- Fork & Execute — nono forks a sandboxed child process and runs your command inside it. The unsandboxed parent stays alive for audit recording, rollback, and diagnostics.
- Enforce — Kernel blocks any unauthorized access attempts
Sensitive Paths
The following paths are always blocked by default to protect credentials:~/.ssh- SSH keys~/.aws,~/.gcloud,~/.azure- Cloud credentials~/.gnupg- GPG keys~/.kube,~/.docker- Container credentials~/.zshrc,~/.bashrc,~/.profile- Shell configs (often contain secrets)~/.npmrc,~/.git-credentials- Package manager tokens
nono why --path <path> --op read to check if a specific path is blocked and why. See Profiles & Groups for the full list and how group policy controls these.
Agent Integration
For setting up nono with a specific AI agent:If the agent you want to use cannot be found, create an issue to request consideration for adding it to the registry, or fork an existing profile and submit a PR with the new agent profile. See Package Publishing for details on publishing profiles.
Build your own profile
It’s likely that you are going to want to customize the pre-built profiles or create your own for different tools and needs. You can do this easily withnono profile init which will create a new profile based on an existing one, with the option to customize it interactively.
--profile claude just like the pre-built ones.
From here, move to Profiles & Groups for more indepth details on how to create and manage profiles, groups, and the policy engine.
Next Steps
- CLI Reference - Complete flag documentation
- Examples - Common usage patterns